Block Ciphers (Crypto 2)

In This Talk (I promise there won’t be any math) Block Ciphers Encryption Modes Padding Schemes

What is a block cipher?

What is a block cipher? A bijective function with 2 inputs Fixed amount of data A secret key Key specifies a transformation

What do we look for in a block cipher?

What do we look for in a block cipher? Models a pseudorandom function What is a pseudorandom function? Models a random function, with a seed Key is the seed Small change in input -> Large change in output Duality: Substitution and Permutation Confusion and Diffusion

What can’t a block cipher do? Provide Authenticity Provide Nonrepudiation Provide Integrity Encrypt >1 block of data Encrypt <1 block of data

Important Block ciphers are building blocks for more general cryptographic purposes “Primitive” Not very useful on their own

Some block cipher constructions Substitution/Permutation Network Feistel Network ARX

Substitution/Permutation Network Substitution: Confusion Permutation: Diffusion Each round has fixed substitutions and permutations Simple to implement Slow

Feistel Networks Each round operate on the left half Key and right half are inputs to F-box F-box need not be invertible XOR those together, new right Old right is new left Repeat many times with different keys each round

Feistel Networks Why is decryption invertible? Why does F not need to be invertible?

Feistel Networks Speed depends on F F is flexible Need a certain amount of rounds minimum Needs more rounds because only operating on half of data

ARX Argument is you only need 3 basic mathematical operations Add Rotate XOR Ridiculously fast in hardware

Some common block ciphers DES - Old standard, not used much because of small block/key size 64 bit block, 56 bit key feistel AES - Current standard 128 bit block, 128+ bit key Sub/Perm Network Salsa20 - another alternative ARX network Immune to timing attacks

CTF Rule of Thumb If they import it, assume secure If it’s custom, it is exploitable

Encrypting more than one block of data If you have some multiple of the length of the data Still fixed key Same concept as block ciphers: small change in input should bring large changes in output In fact, they are even better - no change in input brings large changes in output Don’t compromise security - security is as good as the block cipher

How? Probabilistic Encryption - plaintext is not always encrypted the same way Deterministic Decryption - ciphertext is always decrypted the same way For any message M, D(E(M)) = M (always) Randomly generate an Initialization Vector (IV) Since this will be different each time, blocks will encrypt differently IV needs to be accounted for when decrypted

Electronic Codebook Mode Everyone’s favorite terrible example of encryption For each block, decrypt as a normal block cipher Why is this bad?

Cipher Block Chaining Idea: At each round, XOR with previous round’s ciphertext C0 = IV If previous round is changed, so is next Decrypt ciphertext by XORing decrypted blocks with previous ciphertext What if attacker controls ciphertext?

CBC Diagrams

Attacking CBC Assume part of plaintext is known Use the previous block to control the known plaintext

Attacking CBC For known plaintext block i E-1(ci) ⊕ ci-1 = pi

Counter mode of operation Use IV as input into block cipher Increment IV each time Create a stream not dependent on the ciphertext (parallelization) My go-to mode of operation Still vulnerable if IV reuse allowed in decryption

CTR Diagrams

Padding Methods to allow us to encrypt arbitrary length messages Padding itself needs to be reversible Padding/unpadding only determined by the length

Explicit Padding Part of the pad explicitly states the length of the pad Usually the last byte Easy to check But gives information about the plaintext Possible to be manipulated

Types of explicit padding Assume p bytes need to be padded Random method p -1 random/arbitrary bytes, then last byte is p Worst security, only need to manipulate one byte 0 method p -1 null bytes, then last byte is p Harder because you need to set those bytes to 0

Types of explicit padding PKCS7 Last p bytes are p Harder because bytes are changing as p changes

Padding Oracle attacks A CBC padding oracle with explicit padding means any ciphertext can be decrypted An “oracle” is some online function or method we can query that returns to us some result A padding oracle only tells us whether the padding is legal or illegal CBC encryption scheme is necessary for this to work, the block cipher itself doesn’t matter If we have a valid ciphertext, it will have valid padding

Padding Oracle attacks Manipulate the last byte - this will produce invalid paddings except… Once you know the last byte, manipulate it to “\x02” and manipulate second to last byte Repeat for entire ciphertext!

Implicit Padding Padding schemes that don’t say the amount of padding After the message, append a 1 bit then 0 bits until full Since we usually operate on bytes, this will be “\x80” then null bytes until full

No padding Ciphertext Stealing Streaming modes of encryption (CTR) Stream Ciphers

Sources Diagrams from wikipedia