15-349 Introduction to Computer and Network Security Iliano Cervesato 31 August 2008 – Symmetric Encryption
Where we are Course intro Cryptography Program/OS security & trust Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols Program/OS security & trust Networks security Beyond technology
Outline Shared-key cryptography – Review The Data Encryption Standard - DES Feistel networks How DES works Attacks and weaknesses 3DES and variants The Advanced Encryption Standard - AES The AES contest How AES works Encrypting long messages Block ciphers Stream ciphers One-time pad Random number generators RC4
Symmetric Encryption Schemes (K, E, D) Key generation algorithm K : {0,1}k Encryption algorithm E : {0,1}a x {0,1}k {0,1}c Ek : {0,1}a {0,1}c Decryption algorithm D: {0,1}c x {0,1}k {0,1}a Dk : {0,1}c {0,1}a
Functional requirements E, D : {0,1}n x {0,1}k {0,1}n Dk(Ek(m)) = m For every k, Ek is an injection with inverse Dk Ek(m) is easy to compute, given m and k Dk(x) is easy to compute, given x and k Polynomial in max{n,k} - often linear If x = Ek(m), it is hard to find m without k Exponential in k
Symmetric Encryption Dk(Ek(m)) = m E D Encrypted message (ciphertext) box Decryption box Encrypted message (ciphertext) Encrypted message (ciphertext) E M X D X M k Message (cleartext) Message (cleartext) Secret key Dk(Ek(m)) = m
Exclusive OR Fundamental operation of many ciphers Properties y y = 0 y 0 = y y 1 = y y z z = y 1 y z z y
DES - Data Encryption Standard Secure civilian encryption scheme Standardized Design approach 1972: NBS call for proposals 1974: interest in IBM’s Lucifer approach Analyzed by DoD and enhanced by NSA Worries of backdoors 1976: adopted as standard 4 years + IBM’s work
Black-box view of DES Message blocks: 64 bits Keys: 56 bits – fixed! Speed Uses only standard arithmetic/logical operations Software: 43,000 block/sec ~ 2.7 Mbit/sec Measured on an old 80486 at 66MHz OK for files and web pages Too slow for sound and video Hardware: 16.8 million block/sec ~ 1 Gbit/sec High speed Ethernet: 100 Mbit/sec Modem: 56 Kbit/sec Clear- text block Cipher- text block DES 64 64
Feistel Networks f1, …, fk : {0,1}n {0,1}n Arbitrary functions n bits n bits L0 : R0 : f1 Round 1 f1, …, fk : {0,1}n {0,1}n Arbitrary functions Not necessarily invertible L1 : R1 : f2 Round 2 … Lk-2 : Rk-2 : Li = Ri-1 Ri = Li-1 fi(Ri-1) fk-1 Round k-1 Lk-1 : Rk-1 : fk Round k Lk : Rk :
Inverting a Feistel Network Theorem For any f1, …, fk : {0,1}n {0,1}n, a Feistel network computes a permutation p : {0,1}n {0,1}n f1 f2 fk-1 fk L0 : R0 : L1 : R1 : Lk-2 : Rk-2 : Lk-1 : Rk-1 : Lk : Rk : … Li-1 = Ri fi(Li) Ri-1 = Li Inverse: Feistel networks convert generic functions into permutations
16-round Feistel Network Inside DES cleartext DES is a Feistel network with 16 rounds 64 bit cleartext blocks 56 bits key f1, …, f16 derived from key Initial permutation p (public) Decryption Apply f16, …, f1 (in reverse order) Same chip 64 p key 64 16-round Feistel Network 56 64 p-1 64 ciphertext
The Functions fi fi(x) = F(x, ki) ki derived from k Public key schedule F: {0,1}32 x {0,1}48 {0,1}32 is public ½ block x expanded to x’ Public replicator r S-boxes Sj are public … where the magic happens Rationale was kept secret Final permutation p’ is public Shuffles input for next round 32 48 bits r 56 bits x’ 48 48 48 6 6 6 6 6 6 6 6 S1 S2 32 bits 48 bits S3 S4 S5 S6 S7 S8 4 4 4 4 4 4 4 4 6 bits 4 bits 32 p’ 32 F(x, ki)
Security of DES Differential cryptanalysis Key length Observe effects of Little changes in input Little changes to algorithms DES found optimal Key length 56 bits was fine in the 70’s Not now … Moore’s law
Attacks on DES Exhaustive search However … More sophisticated attacks Given plaintext m and ciphertext x, with high probability there is a single key k s.t. x = DES(m,k) Trying 106 keys/sec, it takes 2,000 years However … 1998, $130,000 homemade supercomputer breaks DES in 112 hours (CPA) More sophisticated attacks Use properties (e.g. DES(m,k) = DES(m,k)) Linear / differential crypto-analysis
Avoiding Exhaustive Search–3DES DES is not a group Given k1, k2, with high probability there is no k3 s.t. Ek1(Ek2(m)) = Ek3(m) for every m 3DESk1,k2,k3(m) = Ek1(Ek2(Ek3(m))) Key length: 112 bits Very popular DES encryption DES encryption DES encryption
How about a 2DES? 2DESk1,k2(m) = Ek1( Ek2(m)) ?? Meet-in-the-middle attack! E m X D X1 X2 56 … m1 m2 Try all possible keys = ? For key length n, total work is “only” 2n + 2n = 2n+1 Effective key length is just 57 bits! Applies to any encryption algorithm
2.5DESk1,k2(m) = Ek1(Dk2(Ek1(m))) Another variant – 2.5-DES 2.5DESk1,k2(m) = Ek1(Dk2(Ek1(m))) Effective key length: 80 bits DES encryption DES encryption DES decryption
DESXk1,k2,k3(m) = k1 Ek2(m k3) DES encryption DESXk1,k2,k3(m) = k1 Ek2(m k3) Key length: 56 + 2*64 = 184 bits However, effective key length is only about 100 bits
AES – a Successor to DES 1996: NIST issues public call for proposal Advanced Encryption Standard 1996: NIST issues public call for proposal Secure for next 50-100 years Block cipher faster than 3DES Variable key lengths (128, 192, 256, … bits) Open design Exportable world-wide 1998: 15 algorithms selected 1999: 5 finalists Public (and private) crypto-analysis for 4 years
Oct. 2000: AES Contest Winner Rijndael, by J. Daemen and V. Rijmen Fast (~18-20 cycles to encrypt a byte) Bit operations: , shift, addition, … Small (98 Kb) Well understood characteristics Based on mathematics (Galois fields) Officially adopted as AES in Dec. 2001
Black-box view of AES Message blocks: 128 bits key 128+ Clear- text block Cipher- text block AES 128 128 Message blocks: 128 bits Keys: 128, 192, 256 bits But Rijndael allows any multiple of 64 bits Extensible if necessary
Inside AES … Number of rounds varies with key size 128, 192, 256 k1 128 k2 128 kn 128 … input output 128 Round 1 128 Round 2 128 128 Round n 128 n rounds (n = 10, 12, 14) Number of rounds varies with key size More for longer keys
How AES round i works x m: ki (rearrangement) Byte substitution Next round b’0 b’4 b’8 b’12 b’1 b’5 b’9 b’13 b’2 b’6 b’10 b’14 b’3 b’7 b’11 b’15 Byte substitution x 2 3 1 b’14 222 s0 s4 s8 s12 s1 s5 s9 s13 s2 s6 s10 s14 s3 s7 s11 s15 Row shift ki x0 x4 x8 x12 x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 Add round key
AES Vulnerabilities None discovered so far Extensive public scrutiny 4 years before adoption as standard 7 years of public use so far
Encrypting Long messages Most algorithms operate on fixed sizes 64 bits for DES 128 bits for AES Block ciphers Slice m into m1, …, mn Add padding to last block Use Ek to produce x1, …, xn Use Dk to recover m1, …, mn Stream ciphers Rely on pseudo-random sequence
Electronic Codebook Mode – ECB Any identical block encrypted identically Lots of ciphertext with the same k Dictionary attack Attacker records blocks Substitute them back when appropriate Encryption guarantees secrecy, not integrity Ek m: x: n bits …
Cipher Block Chaining – CBC Encryption x1 = Ek(m1 IV) xi = Ek(mi xi-1) Decryption m1 = Dk(x1) IV mi = Dk(xi) xi-1 Widely used E.g IPSec Ek m: x: n bits … IV Initialization Vector
Output Feedback Mode – OFB Encryption xi = mi Ek(IV)i Decryption mi = xi Dk(IV)i NB: encryption is never applied to m m: x: n bits … IV Initialization Vector Ek Ek Ek
One-Time Pad Ek(m) = m k Dk(x) = x k Requires |m| = |k| Very fast Perfect secrecy Prob[guessing m] = Prob[guessing m|x] k should never be reused again! x1 = m1 k x2 = m2 k k very large for long messages How to distribute it? x1 x2 = m1 m2
Pseudo-Random Bit Generators Deterministic functions RNG : {0,1}n {0,1} Stretch fixed-size seed to an unbounded sequence that looks random Computable approximation of one-time pad Example: RC4 Example: i := 0 do forever i := i+1 mod 256 j := j+s[I] mod 256 swap s[i],s[j] t := s[i]+s[j] mod 256 output s[t] Seed: initial value of s Size of state: (2256)256
Ek(m) = DESk(s) , m RNG(s) Stream Ciphers One-time pad using a RNG Use k as seed? Ek(m) = m RNG(k) Reuse problem! Typical usage (e.g., with DES) Ek(m) = DESk(s) , m RNG(s) Chose new s each time strong fast