Conventional Encryption
Outline Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution
Symmetric Encryption A.k.a. conventional / secret-key / single-key Sender and recipient share a common key All classical encryption algorithms are secret-key-based Was the only type prior to the invention of public-key in 1970’s Why? By far most widely used Symmetric encryption, also referred to as conventional encryption or single-key encryption, was the only type of encryption in use prior to the development of public-key encryption in the 1970s. It remains by far the most widely used of the two types of encryption. All traditional schemes are symmetric / single key / private-key encryption algorithms, with a single key, used for both encryption and decryption. Since both sender and receiver are equivalent, either can encrypt or decrypt messages using that common key.
Conventional Encryption Principles An encryption scheme has five ingredients: Plaintext Encryption algorithm Secret key Ciphertext Decryption algorithm Security depends on the secrecy of the key, not the secrecy of the algorithm Why?
Conventional Encryption Principles
Requirements Two requirements for secure use of symmetric encryption: A strong encryption algorithm A secret key known only to sender and receiver Mathematically we have: Y = EK(X) X = DK(Y) Assume encryption algorithm is known Implies a secure channel to distribute key We assume that it is impractical to decrypt a message on the basis of the cipher- text plus knowledge of the encryption/decryption algorithm, and do not need to keep the algorithm secret; rather we only need to keep the key secret. This feature of symmetric encryption is what makes it feasible for widespread use. It allows easy distribution of s/w and h/w implementations. Can take a closer look at the essential elements of a symmetric encryption scheme: mathematically it can be considered a pair of functions with: plaintext X, ciphertext Y, key K, encryption algorithm EK, decryption algorithm DK.
Cryptography Characterize cryptographic systems by: Type of encryption operations used Substitution / Transposition / Product Number of keys used Single-key or secret / two-key or public Way in which plaintext is processed Block / stream Cryptographic systems can be characterized along these three independent dimensions.
More Definitions Unconditional security Computational security No matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext Computational security Given limited computing resources (e.g. time needed for calculations is greater than the age of universe), the cipher cannot be broken Security of a key/password? Two more definitions are worthy of note. An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available. An encryption scheme is said to be computationally secure if either the cost of breaking the cipher exceeds the value of the encrypted information, or the time required to break the cipher exceeds the useful lifetime of the information. Unconditional security would be nice, but the only known such cipher is the one-time pad (later). For all reasonable encryption algorithms, we have to assume computational security where it either takes too long, or is too expensive, to bother breaking the cipher.
Confusion and Diffusion Cipher needs to completely obscure statistical properties of the original message A one-time pad does this More practically, Shannon suggested combining S & P elements to obtain: Diffusion Dissipates statistical structure of plaintext over bulk of ciphertext Confusion Makes relationship between ciphertext and key as complex as possible The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design.
Brute Force Search (Exhaustive Key Search) Always possible to simply try every key Most basic attack, proportional to key size Assume either know / recognize plaintext Key Size (bits) Number of Alternative Keys Time required at 1 decryption/µs 106 decryptions/µs 32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds 56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours 128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years 168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years 26 letters (permutation) 26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years A brute-force attack involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained. On average, half of all possible keys must be tried to achieve success. Stallings Table 2.2 shows how much time is required to conduct a brute-force attack, for various common key sizes (DES is 56, AES is 128, Triple-DES is 168, plus general mono-alphabetic cipher), where either a single system or a million parallel systems, are used.
Conventional Encryption Algorithms Data Encryption Standard (DES) The most widely used encryption scheme The algorithm is reffered to as the Data Encryption Algorithm (DEA) DES is a block cipher The plaintext is processed in 64-bit blocks The key is 56-bits in length in the original version
DES Mathematically, the overall processing at each iteration: Li = Ri-1 Ri = Li-1 F(Ri-1, Ki) Concerns about: The algorithm and the key length (56-bits)
Time to break a code (106 decryptions/µs)
Strength of DES – Key Size 56-bit keys have 256 = 7.2 x 1016 values Brute force search looks hard Recent advances have shown possibilities In 1997 on the Internet in a few months In 1998 on dedicated h/w (EFF) in a few days In 1999 above combined in 22 hrs! Still must be able to recognize plaintext Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm. With a key length of 56 bits, there are 2^56 possible keys, which is approximately 7.2*10^16 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: - 1997 on a large network of computers in a few months - 1998 on dedicated h/w (EFF) in a few days - 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.
Alternatives to DES A replacement for DES was needed Have theoretical attacks that can break it have demonstrated exhaustive key search attacks A strengthened DES Triple-DEA (Triple-DES) Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm. With a key length of 56 bits, there are 2^56 possible keys, which is approximately 7.2*10^16 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: - 1997 on a large network of computers in a few months - 1998 on dedicated h/w (EFF) in a few days - 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.
Triple DEA Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt) C = ciphertext P = Plaintext EK[X] = encryption of X using key K DK[Y] = decryption of Y using key K Effective key length of 168 bits (3x56) C = EK3[DK2[EK1[P]]]
Triple DEA
Alternatives to DES Triple-DES AES Cipher – Rijndael Slow Use small blocks AES Cipher – Rijndael Designed by Joan. Daemen and Vincent Rijmen in Belgium Has 128/192/256-bit keys, 128-bit data An iterative rather than feistel cipher Processes data as block of 4 columns of 4 bytes Operates on entire data block in every round Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm. With a key length of 56 bits, there are 2^56 possible keys, which is approximately 7.2*10^16 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: - 1997 on a large network of computers in a few months - 1998 on dedicated h/w (EFF) in a few days - 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.
Block vs. Stream Ciphers Block ciphers Process messages in blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Need a table of 2^64 entries for a 64-bit block Instead, create from smaller building blocks Using the idea of a product cipher Many current ciphers are block ciphers A wide range of applications Stream ciphers Process messages a bit or byte at a time when en/decrypting Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.
Other Symmetric Block Ciphers International Data Encryption Algorithm (IDEA) 128-bit key Used in PGP Blowfish Easy to implement High execution speed Run in less than 5K of memory
Other Symmetric Block Ciphers RC5 Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations Cast-128 Key size from 40 to 128 bits The round function differs from round to round
Location of Encryption Device Link encryption: A lot of encryption devices High level of security Decrypt each packet at every switch End-to-end encryption The source encrypts and the receiver decrypts Payload encrypted Header in the clear High Security Both link and end-to-end encryption are needed
Key Distribution Physical delivery Network transfer A key could be selected by A and physically delivered to B. A third party could select the key and physically deliver it to A and B. Network transfer If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. If A and B each has an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. Diffie-Hellman key exchange
Session and Permanent Key Session key: Data encrypted with a one-time session key At the conclusion of the session, the key is destroyed Permanent key: Used between entities for the purpose of distributing session keys
Recommended Reading Scneier, B. Applied Cryptography, New York: Wiley, 1996 Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, 2001