Lecture02: Symmetric Cryptography 1
advertisement
Lecture 02 Symmetric Cryptography Asst.Prof. Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th NETE0519-ISEC0513 1 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Cipher DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 2 Basic Terminology plaintext - original message ciphertext - coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key cryptology - field of both cryptography and cryptanalysis NETE0519-ISEC0513 3 How a Cryptosystem Works Plaintext (M) (data file or messages) encryption algorithm (E) + secret key A (KA) EKa(M) = C DKb(C) = M DKb(EKa(M)) = M Ciphertext (C) (stored or transmitted safely) decryption algorithm (D) + secret key B (KB) Plaintext (M) (original data or messages) Note: Key A may be the same as Key B, depending on the algorithm NETE0519-ISEC0513 4 Brute Force Search always possible to simply try every key most basic attack, proportional to key size assume either know / recognise plaintext Key Size (bits) Number of Alternative Keys Time required at 1 decryption/µs Time required at 106 decryptions/µs 32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds 56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours 128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years 168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years 26! = 4 1026 2 1026 µs = 6.4 1012 years 26 characters (permutation) NETE0519-ISEC0513 6.4 106 years 5 Types of Cryptography Symmetric Cryptography Deploy the same secret key to encrypt and decrypt messages The secret key is shared between two parties Encryption algorithm is the same as decryption algorithm Asymmetric (Public-key) Cryptography Private key, Public key The secret key is not shared and two parties can still communicate using their public keys Encryption alg. is different from decryption alg. NETE0519-ISEC0513 6 Symmetric Cryptography NETE0519-ISEC0513 7 Public-Key Cryptography NETE0519-ISEC0513 8 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 9 Model of Symmetric Cryptosystem NETE0519-ISEC0513 10 What is Symmetric Encryption used for? Transmitting data over an insecure channel Secure stored data (encrypt & store) Provide integrity check NETE0519-ISEC0513 11 Properties of Symmetric Cryptography Message Confidentiality Message Authentication Message Integrity NETE0519-ISEC0513 12 Cryptanalysis Depending on what a cryptanalyst has to work with, attacks can be classified into Ciphertext only attack Known plaintext attack Chosen plaintext attack Chosen ciphertext attack (most severe) NETE0519-ISEC0513 13 Ciphertext-only Attack Collect ciphertexts of several messages encrypted using the same encryption algorithm and try to recover plaintexts or encrypting key(s). Given: C1 = Ek(P1), C2=Ek(P2), ..., Ci=Ek(Pi) Deduce: Either P1, P2, …, Pi; k; or an algorithm to infer Pi+1 from Ci+1=Ek(Pi+1) NETE0519-ISEC0513 14 Known-plaintext Attack Able to collect ciphertext of several messages and corresponding plaintext, and try to resolve the encrypting key(s). Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi) Deduce: Either k, or an algorithm to infer Pi+1 from Ci+1=Ek(Pi+1) NETE0519-ISEC0513 15 Chosen-plaintext Attack Able to collect ciphertext of several messages and associated plaintext, and also able to choose the plaintext that gets encrypted. Try to deduce the encrypting key(s). More powerful than known-plaintext attack Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi) where the cryptanalyst gets to choose P1,…, Pi Deduce: Either k, or an algorithm to infer Pi+1 from Ci+1=Ek(Pi+1) NETE0519-ISEC0513 16 Chosen-ciphertext Attack Able to choose different ciphertext to be decrypted and has access to the decrypted plaintext. Try to deduce the key E.g. has access to a tamperproof box that does automatically decryption. Given: C1, P1 = Dk(C1), C2, P2=Dk(C2), ..., Ci, Pi=Dk(Ci) Deduce: k Primarily applicable to public-key algorithms. NETE0519-ISEC0513 17 More Definitions unconditional security no matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext computational security given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken NETE0519-ISEC0513 18 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 19 Substitution Ciphers Character in plaintext is substituted for another character in ciphertext Caesar Cipher: each plaintext character is replaced by the character three to the right modulo 26. E.g. AD, BE, XA ROT13: commonly found in UNIX systems. Every plaintext character is rotated 13 places. NETE0519-ISEC0513 20 Caesar Cipher earliest known substitution cipher by Julius Caesar first attested use in military affairs replaces each letter by 3rd letter on example: meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB NETE0519-ISEC0513 21 Caesar Cipher (cont.) K=3 Outer: plaintext Inner: ciphertext NETE0519-ISEC0513 22 Caesar Cipher (cont.) can define transformation as: a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C mathematically give each letter a number a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 then have Caesar cipher as: c = E(p) = (p + k) mod (26) p = D(c) = (c – k) mod (26) NETE0519-ISEC0513 23 Cryptanalysis of Caesar Cipher only have 26 possible ciphers A maps to A,B,..Z could simply try each in turn a brute force search given ciphertext, just try all shifts of letters do need to recognize when have plaintext eg. break ciphertext "GCUA VQ DTGCM" NETE0519-ISEC0513 24 Monoalphabetic Cipher rather than just shifting the alphabet could shuffle (jumble) the letters arbitrarily each plaintext letter maps to a different random ciphertext letter hence key is 26 letters long Plain: abcdefghijklmnopqrstuvwxyz Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA NETE0519-ISEC0513 25 Monoalphabetic Cipher Security now have a total of 26! = 4 x 1026 keys with so many keys, might think is secure but would be !!!WRONG!!! problem is language characteristics NETE0519-ISEC0513 26 Language Redundancy and Cryptanalysis human languages are redundant eg "th lrd s m shphrd shll nt wnt" letters are not equally commonly used in English E is by far the most common letter followed by T,R,N,I,O,A,S other letters like Z,J,K,Q,X are fairly rare have tables of single, double & triple letter frequencies for various languages NETE0519-ISEC0513 27 English Letter Frequencies NETE0519-ISEC0513 28 Use in Cryptanalysis key concept - monoalphabetic substitution ciphers do not change relative letter frequencies discovered by Arabian scientists in 9th century calculate letter frequencies for ciphertext compare counts/plots against known values if caesar cipher look for common peaks/troughs peaks at: A-E-I triple, NO pair, RST triple troughs at: JK, X-Z for monoalphabetic must identify each letter tables of common double/triple letters help NETE0519-ISEC0513 29 Example Cryptanalysis given ciphertext: UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ count relative letter frequencies (see text) guess P & Z are e and t guess ZW is th and hence ZWP is the proceeding with trial and error finally get: it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow NETE0519-ISEC0513 30 Vigenère Cipher simplest polyalphabetic substitution cipher effectively multiple caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse NETE0519-ISEC0513 31 Example of Vigenère Cipher write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ NETE0519-ISEC0513 32 Transposition Ciphers now consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters used can recognise these since have the same frequency distribution as the original text NETE0519-ISEC0513 33 Rail Fence cipher write message letters out diagonally over a number of rows then read off cipher row by row eg. write message out as: m e m a t r h t g p r y e t e f e t e o a a t giving ciphertext MEMATRHTGPRYETEFETEOAAT NETE0519-ISEC0513 34 Row Transposition Ciphers a more complex transposition write letters of message out in rows over a specified number of columns then reorder the columns according to some key before reading off the rows Key: 3 4 2 1 5 6 7 Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y z Ciphertext: APTMTTNAAODWTSUOCOIXKNLYPETZ NETE0519-ISEC0513 35 Steganography Plaintext can be hidden by two ways: Steganography: conceal the existence of the message Cryptography: render the message unintelligible to outsiders using various kinds of transformation of the text Examples of Steganography Character marking: overwrite text with pencil Invisible ink: use special substance Pin punctures: pin puncture on selected letters NETE0519-ISEC0513 36 One-Time Pad One-time pad is a large non-repeating set of truly random key letters Encryption is a additional modulo 26 of plaintext character Pad length must be equal to the message length !!! For example: Message: ONETIMEPAD Pad Sequence: TBFRGFARFM Ciphertext: IPKLPSFHGQ Because O+T mod 26 = I 15+20 mod 26 = 9 N+B mod 26 = P 14+2 mod 26 = 16 E+F mod 26 = K, etc. NETE0519-ISEC0513 Decryption P+K mod 26 = C P = C-K mod 26 I-T mod 26 = 9-20 mod 26 = -11 mod 26 = -11+26 mod 26 = 15 mod 26 =O 37 One-Time Pad (cont.) if a truly random key as long as the message is used, the cipher will be secure called a One-Time pad is unbreakable since ciphertext bears no statistical relationship to the plaintext since for any plaintext & any ciphertext there exists a key mapping one to other can only use the key once though problems in generation & safe distribution of key NETE0519-ISEC0513 38 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 39 Cryptographic Process Message m1 m2 Message mn m1 Encryption c1 c2 Ciphertext NETE0519-ISEC0513 m2 mn Decryption cn c1 c2 cn Ciphertext 40 Block Cipher VS Stream Cipher Block cipher: divides entire message in to blocks used to produce ciphertext. Stream cipher: encrypts a data stream one bit or one byte at a time. NETE0519-ISEC0513 41 Stream Ciphers process message bit by bit (as a stream) have a pseudo random keystream combined (XOR) with plaintext bit by bit randomness of stream key completely destroys statistically properties in message Ci = Mi XOR StreamKeyi but must never reuse stream key otherwise can recover messages (cf book cipher) NETE0519-ISEC0513 42 Stream Cipher Structure NETE0519-ISEC0513 43 Stream Cipher Properties some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity properly designed, can be as secure as a block cipher with same size key but usually simpler & faster NETE0519-ISEC0513 44 RC4 a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effective variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP) key forms random permutation of all 8-bit values uses that permutation to scramble input info processed a byte at a time NETE0519-ISEC0513 45 RC4 Key Schedule starts with an array S of numbers: 0..255 use key to well and truly shuffle S forms internal state of the cipher for i = 0 to 255 do S[i] = i T[i] = K[i mod keylen]) j = 0 for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j]) NETE0519-ISEC0513 46 RC4 Encryption encryption continues shuffling array values sum of shuffled pair selects "stream key" value from permutation XOR S[t] with next byte of message to en/decrypt i = j = 0 for each message byte Mi i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) Ci = Mi XOR S[t] NETE0519-ISEC0513 47 RC4 Overview NETE0519-ISEC0513 48 RC4 Security claimed secure against known attacks have some analyses, none practical result is very non-linear since RC4 is a stream cipher, must never reuse a key have a concern with WEP, but due to key handling rather than RC4 itself NETE0519-ISEC0513 49 Block Cipher Principles most symmetric block ciphers are based on a Feistel Cipher Structure needed since must be able to decrypt ciphertext to recover messages efficiently block ciphers look like an extremely large substitution would need table of 264 entries for a 64-bit block instead create from smaller building blocks using idea of a product cipher NETE0519-ISEC0513 50 Ideal Block Cipher NETE0519-ISEC0513 51 Claude Shannon and SubstitutionPermutation Ciphers Claude Shannon introduced idea of substitutionpermutation (S-P) networks in 1949 paper form basis of modern block ciphers S-P nets are based on the two primitive cryptographic operations seen before: substitution (S-box) permutation (P-box) provide confusion & diffusion of message & key NETE0519-ISEC0513 52 Diffusion and Confusion Confusion: hard to find any relationship between ciphertext and key. Diffusion: spreads influence of individual plaintext or key bits over as much of the ciphertext as possible. In particular, one bit change of plaintext or key must increase the difficulty of cryptanalysis. NETE0519-ISEC0513 53 Block Cipher Divide a message M into m1, …, mn Add padding to last block Use Ek to produce (ciphertext blocks) x1, …, xn Use Dk to recover M from m1, …, mn Modes of Block Ciphers: Electronic Codebook Cipher Block Chaining Cipher Feedback Output Feedback Counter (CTR) NETE0519-ISEC0513 54 Electronic Codebook NETE0519-ISEC0513 55 Electronic Codebook (cont’d) Ideal for short amount of data transfer e.g. encryption key ECB produces the same message pattern if using the same input. Not secure for lengthy message, easy for cryptanalysis. NETE0519-ISEC0513 56 Cipher Block Chaining NETE0519-ISEC0513 57 Cipher Feedback NETE0519-ISEC0513 58 Output Feedback NETE0519-ISEC0513 59 Counter (CTR) a “new” mode, though proposed early on similar to OFB but encrypts counter value rather than any feedback value must have a different key & counter value for every plaintext block (never reused) Ci = Pi XOR Oi Oi = DESK1(i) uses: high-speed network encryptions NETE0519-ISEC0513 60 Counter (CTR) (cont.) NETE0519-ISEC0513 61 Advantages and Limitations of CTR efficiency can do parallel encryptions in h/w or s/w can preprocess in advance of need good for bursty high speed links random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (cf OFB) NETE0519-ISEC0513 62 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 63 Feistel Cipher Structure Virtually all conventional block encryption algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973 The realization of a Fesitel Network depends on the choice of the following parameters and design features (see next slide): NETE0519-ISEC0513 64 Feistel Cipher Structure (cont.) Block size: larger block sizes mean greater security Key Size: larger key size means greater security Number of rounds: multiple rounds offer increasing security Subkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis. Fast software encryption/decryption: the speed of execution of the algorithm becomes a concern Roung Function (F): Greater complexity is better, resistance to cryptanalysis NETE0519-ISEC0513 65 Feistel Encryption and Decryption NETE0519-ISEC0513 66 Proof: LD1 = RE15 Encryption side: LE16 = RE15 RE16 = LE15 F(RE15, K16) Decryption side: LD1 = RD0 = LE16 = RE15 RD1 = LD0 F(RD0, K16) = RE16 F(RE15, K16) = [LE15 F(RE15, K16)] F(RE15, K16) = LE15 [F(RE15, K16) F(RE15, K16)] = LE15 0 = LE15 NETE0519-ISEC0513 67 Data Encryption Standard (DES) most widely used block cipher in world adopted in 1977 by NBS (now NIST) as FIPS PUB 46 encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security NETE0519-ISEC0513 68 DES History IBM developed Lucifer cipher by team led by Feistel in late 60’s used 64-bit data blocks with 128-bit key then redeveloped as a commercial cipher with input from NSA and others in 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES NETE0519-ISEC0513 69 DES Design Controversy although DES standard is public was considerable controversy over design in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified subsequent events and public analysis show in fact design was appropriate use of DES has flourished especially in financial applications still standardised for legacy application use NETE0519-ISEC0513 70 Data Encryption Standard (DES) A block of 64-bit data is encrypted using 56-bit key to produce a 64-bit block of ciphertext. Decryption can be done by encrypting the ciphertext using the same key. NETE0519-ISEC0513 71 DES Encryption NETE0519-ISEC0513 72 Single Round of DES Encryption NETE0519-ISEC0513 73 Permutation Table for DES NETE0519-ISEC0513 74 Permutation Tables for DES NETE0519-ISEC0513 75 DES Key Schedule Calculation Permuted Choice 1 and 2 NETE0519-ISEC0513 76 Calculation of F(R, K) 1. 2. 3. 4. R is expanded to 48 bits. The expanded R is XORed with 48-bit K. Split 48-bit data into 8 groups of 6-bit data to enter S-Boxes For each of the group, do the following: 1. For the 6-bit data to enter each Si, 1st and 6th bits form a 2-bit binary number to identity the row number in Si. 2. The decimal value of 2nd – 5th bits identify the column number in Si. 3. The selected decimal value from Si is then converted into 4-bit binary output of Si. NETE0519-ISEC0513 77 DES S-Boxes Permutation Function NETE0519-ISEC0513 78 DES S-Boxes (cont.) NETE0519-ISEC0513 79 DES S-Boxes (cont.) NETE0519-ISEC0513 80 Example Input to S5: 100111 1st and 6th bits are 11 -> row 3 2nd-5th bits are 0011 -> column 3 The decimal value in row 3 and column 3 of S5 is 7. The output value of S5 is 0111 S5 NETE0519-ISEC0513 2 14 4 11 12 11 2 8 4 1 7… 2 12 4 … 1 11 10 … 12 7 1 … 81 Avalanche Effect key desirable property of encryption alg where a change of one input or key bit results in changing approx half output bits making attempts to “home-in” by guessing keys impossible DES exhibits strong avalanche NETE0519-ISEC0513 82 Avalanche Effect in DES NETE0519-ISEC0513 83 Strength of DES – Key Size 56-bit keys have 256 = 7.2 x 1016 values brute force search looks hard recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! Recently, .... still must be able to recognize plaintext must now consider alternatives to DES NETE0519-ISEC0513 84 More about DES If only the attack on DES is brute force, then use longer key size. NETE0519-ISEC0513 85 Multiple Encryption & DES clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search attacks AES is a new cipher alternative prior to this alternative was to use multiple encryption with DES implementations Triple-DES (3DES) is the chosen form NETE0519-ISEC0513 86 3DES with Two-Keys hence must use 3 encryptions would seem to need 3 distinct keys but can use 2 keys with E-D-E sequence C = EK1(DK2(EK1(P))) nb encrypt & decrypt equivalent in security if K1=K2 then can work with single DES standardized in ANSI X9.17 & ISO8732 no current known practical attacks NETE0519-ISEC0513 87 3DES with Two-Keys (cont.) NETE0519-ISEC0513 88 Triple-DES with Three-Keys although are no practical attacks on two-key Triple-DES have some indications can use Triple-DES with Three-Keys to avoid even these C = EK3(DK2(EK1(P))) has been adopted by some Internet applications, eg PGP, S/MIME NETE0519-ISEC0513 89 3DES with Three-Keys (cont.) NETE0519-ISEC0513 90 Other Symmetric Block Ciphers International Data Encryption Algorithm (IDEA) 128-bit key Used in PGP Blowfish Easy to implement High execution speed Run in less than 5K of memory NETE0519-ISEC0513 91 Other Symmetric Block Ciphers RC5 Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations Cast-128 Key size from 40 to 128 bits The round function differs from round to round NETE0519-ISEC0513 92 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 93 Origins clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks can use Triple-DES – but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001 NETE0519-ISEC0513 94 AES Requirements private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years (+ archival use) provide full specification & design details both C & Java implementations NIST have released all submissions & unclassified analyses NETE0519-ISEC0513 95 AES 128-bit plaintext block Key length -> 128, 192, 256 bits 10 rounds for each encryption and decryption 128-bit plaintext is divided into 16 8-bit (1-byte) blocks. 128-bit key is generated to 44 32-bit “words”, and 4 different words will be used in each round 11 sets of 4-word keys are used in 10-round encryption ! Decryption algorithm is not identical to encryption algorithm NETE0519-ISEC0513 96 AES Parameters NETE0519-ISEC0513 97 AES Key Expansion NETE0519-ISEC0513 98 AES Encryption and Decryption XOR XOR NETE0519-ISEC0513 99 AES Encryption 4 stages in each round: Substitution bytes -> use S-box for byte-to-byte substitution Shift rows -> simple row-by-row permutation Mix columns -> a substitution that alters each byte in a column as a function of all of the bytes in the column Add round keys -> bitwise XOR of the current block with the key NETE0519-ISEC0513 100 AES Encryption Round 16 bytes NETE0519-ISEC0513 101 SubBytes NETE0519-ISEC0513 102 SubBytes (cont.) S-box NETE0519-ISEC0513 103 SubBytes (cont.) Inverse S-box NETE0519-ISEC0513 104 SubBytes (cont.) NETE0519-ISEC0513 105 ShiftRows NETE0519-ISEC0513 106 MixColumns NETE0519-ISEC0513 107 MixColumns (cont.) NETE0519-ISEC0513 108 AddRoundKey NETE0519-ISEC0513 109 AddRoundKey (cont.) NETE0519-ISEC0513 110 AES Operations NETE0519-ISEC0513 111 Implementation Aspects can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256 entries shift rows is simple byte shift add round key works on byte XOR’s mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use table lookups & byte XOR’s NETE0519-ISEC0513 112 Implementation Aspects (cont.) can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables designers believe this very efficient implementation was a key factor in its selection as the AES cipher NETE0519-ISEC0513 113 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers Vs Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 114 Design of Symmetric Cryptosystems A Cryptographic algorithm should be efficient for good use It should be fast and key length should be of the right length – e.g.; not too short Cryptographic algorithms are not impossible to break without a key If we try all the combinations, we can get the original message NETE0519-ISEC0513 2-115 115 Design of Symmetric Cryptosystems (cont.) The security of a cryptographic algorithm depends on how much work it takes for someone to break it E.g. If it takes 10 mil. years to break a cryptographic algorithm X using all the computers of a state, X can be thought of as a secure one – reason: cluster computers and quantum computers are powerful enough to crack many current cryptographic algorithms. NETE0519-ISEC0513 116 Design of Symmetric Cryptosystems (cont.) Encryption Algorithm Design Should the block size of messages be small or large? Should the keyspace be large? Should we consider other search rather than brute-force search? NETE0519-ISEC0513 2-117 117 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Problems of Symmetric Cryptography NETE0519-ISEC0513 118 Placement of Encryption have two major placement alternatives link encryption encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys end-to-end encryption encryption occurs between original source and final destination need devices at each end with shared keys NETE0519-ISEC0513 119 Locations of Encryption Devices NETE0519-ISEC0513 120 Placement of Encryption (cont.) when using end-to-end encryption must leave headers in clear so network can correctly route information hence although contents protected, traffic pattern flows are not ideally want both at once end-to-end protects data contents over entire path and provides authentication link protects traffic flows from monitoring NETE0519-ISEC0513 121 Placement of Encryption (cont.) can place encryption function at various layers in OSI Reference Model link encryption occurs at layers 1 or 2, 3 end-to-end can occur at layers 4, 6, 7 as move higher less information is encrypted but it is more secure though more complex with more entities and keys NETE0519-ISEC0513 122 Link Encryption VS End-to-end Encryption NETE0519-ISEC0513 123 Encryption VS Protocol Level NETE0519-ISEC0513 124 Traffic Padding NETE0519-ISEC0513 125 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 126 Key Distribution The security of symmetric cryptosystem is based on the security of key distribution. Important process two hosts need a shared key before transmitting a message securely. Secret key must be securely distributed between hosts, and need to be updated frequently. But, HOW can we securely distribute the shared key? NETE0519-ISEC0513 127 Key Exchange with Symmetric Cryptography Two kinds of keys: Session key temporary key used for encryption of data between users for one logical session then discarded Master key used to encrypt and distribute session keys shared by user & key distribution center Key Distribution Center (KDC) Shares permanent key with hosts Distributes session keys upon the requests of hosts NETE0519-ISEC0513 128 Key Distribution Scenario NETE0519-ISEC0513 129 Steps 1. Alice sends a request (IDA, IDB) for a session key and a nonce (N1) to KDC. Nonce may be a random number. What is nonce for? 2. 3. 4. 5. KDC sends an encrypted message to A containing: Session key KS Encrypted session key for Bob EKb(KS, IDA) Alice forwards EKb(KS, IDA) to Bob. Bob can decrypt it. (anyone else?) Bob confirms that he has received KS by sending Alice EKs[N2]. Alice responses by sending f(N2) encrypted with KS. NETE0519-ISEC0513 130 Hierarchical Key Control In a very large network, a single KDC is not enough -> a hierarchy of KDCs can be established. Local KDCs and a global KDC Local KDC is responsible for parties in the same domain, whereas global KDC is taking care of communications of parties in different domains. NETE0519-ISEC0513 131 Key Distribution Issues hierarchies of KDC’s required for large networks, but must trust each other session key lifetimes should be limited for greater security use of automatic key distribution on behalf of users, but must trust system use of decentralized key distribution controlling key usage NETE0519-ISEC0513 132 Session Key Lifetime The more frequently session keys are exchanged, the more secure they are. However, each session key distribution causes delays. In connection-oriented protocols, a new session key is issued for each connection. However, if the connection is open for a long time, it may be needed to retransmit a new session key. In connectionless protocols, not obvious how often the new session key is exchanged. A better strategy is to use a given session key for a certain fixed period only or for a certain number of transaction. NETE0519-ISEC0513 133 A Transparent Key Control Scheme NETE0519-ISEC0513 134 Decentralized Key Control Centralized Key Control -> KDC is normally assumed to be trusted and secured from attacks. However, attacks may occur. -> try decentralized approach Decentralization is suitable for local connection. Involved parties need a master key between pairs of parties as many as [n(n-1)]/2 keys among n users. NETE0519-ISEC0513 135 Decentralized Key Distribution NETE0519-ISEC0513 136 Decentralized Key Distribution (cont.) 1. Alice and Bob share a master key MKm. 2. Alice sends a request for a session key with a nonce N1 to Bob. 3. Bob sends KS encrypted with shared master key MKm. The message contains a nonce N2. 4. Alice responses with f(N2) encrypted with the session key. NETE0519-ISEC0513 137 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 138 Random Numbers many uses of random numbers in cryptography nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad in all cases its critical that these values be statistically random, uniform distribution, independent unpredictability of future values from previous values NETE0519-ISEC0513 139 Pseudorandom Number Generators (PRNGs) often use deterministic algorithmic techniques to create “random numbers” although are not truly random can pass many tests of “randomness” known as “pseudorandom numbers” created by “Pseudorandom Number Generators (PRNGs)” NETE0519-ISEC0513 140 Using Block Ciphers as PRNGs for cryptographic applications, can use a block cipher to generate random numbers often for creating session keys from master key Counter Mode Xi = EKm[i] Output Feedback Mode Xi = EKm[Xi-1] NETE0519-ISEC0513 141 ANSI X9.17 PRG Date/time Seed value NETE0519-ISEC0513 142 ANSI X9.17 PRG (cont.) It uses date/time & seed inputs and 3 triple-DES encryptions to generate a new seed & random value. DTi - Date/time value at the beginning of ith generation stage Vi - Seed value at the beginning of ith generation stage Ri - Pseudorandom number produced by the ith generation stage K1, K2 - DES keys used for each stage Then compute successive values as: Ri = EDE([K1, K2], [Vi XOR EDE([K1, K2], DTi)]) Vi+1 = EDE([K1, K2], [Ri XOR EDE([K1, K2], DTi)]) NETE0519-ISEC0513 143 Natural Random Noise best source is natural randomness in real world find a regular but random event and monitor do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc starting to see such h/w in new CPU's problems of bias or uneven distribution in signal have to compensate for this when sample and use best to only use a few noisiest bits from each sample NETE0519-ISEC0513 144 Published Sources a few published collections of random numbers Rand Co, in 1955, published 1 million numbers generated using an electronic roulette wheel has been used in some cipher designs cf Khafre earlier Tippett in 1927 published a collection issues are that: these are limited too well-known for most uses NETE0519-ISEC0513 145 Outline Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography NETE0519-ISEC0513 146 Problems of Symmetric Cryptography Keys must be distributed in secret. Keys are valuable as all the messages they encrypt. If a key is compromised, then so the security of the entire system. Not scalable -> assume that each pair of total n users shares different secrets. Number of keys needed is n(n-1)/2 keys Algorithms are easy to break compared to public-key cryptographic algorithms However symmetric one can be performed faster -> less time -> less power consumption -> suitable for being implemented in mobile devices Lack of necessary security services e.g. non repudiation, provide low-level of integrity check NETE0519-ISEC0513 147 Questions? Next week Public-key Cryptography NETE0519-ISEC0513 148 Discussion Discuss two differences between Block Cipher and Stream Cipher Explain how symmetric cryptography can provide authentication Suggest a key distribution technique that provides offline key generation and distribution NETE0519-ISEC0513 149
