March R. Smith - University of St Thomas - Minnesota CISC Class Today “Help wanted” for security project“Help wanted” for security project RecapRecap Block CiphersBlock Ciphers Block Cipher ModesBlock Cipher Modes Group Problem Solve – Block CiphersGroup Problem Solve – Block Ciphers Reading Assignment:Reading Assignment: –Internet Cryptography Chapters 1 and 2 –Chapter excerpt on Volume Encryption from “Authentication”
March R. Smith - University of St Thomas - Minnesota “Help Wanted” for security project (The title probably sounds more impressive than the actual work)(The title probably sounds more impressive than the actual work) –I need someone to help collect information about computer security product certifications over the past 3 years –Part-time student position for a few weeks QualificationsQualifications –Can deal with MS Access –Can read a structured technical document and quickly extract data from it –Ability to puzzle out other languages (German, French, maybe Korean or Japanese) preferred but not required
March R. Smith - University of St Thomas - Minnesota Recap Crypto Building BlocksCrypto Building Blocks –One-way hash –Randomness –XOR for encryption –Keystream generation – pseudo-random number generation –Nonces Block CiphersBlock Ciphers –Another building block
March R. Smith - University of St Thomas - Minnesota Cracking a Block Cipher It’s a hard thing to doIt’s a hard thing to do Known plaintext attackKnown plaintext attack –You may need several plaintext/ciphertext pairs to attack –Generally, you still must do trial-and-error key testing Block ciphers are intentionally designed to make this hard.Block ciphers are intentionally designed to make this hard. –The designers assume the attackers can get a bunch of plaintext/ciphertext pairs –Those pairs aren’t enough to leak the key
March R. Smith - University of St Thomas - Minnesota Hacking Ciphertext Let’s try encrypting with a block cipherLet’s try encrypting with a block cipher Let’s edit the ciphertextLet’s edit the ciphertext Next, decrypt and see what happens.Next, decrypt and see what happens.
March R. Smith - University of St Thomas - Minnesota Cipher Block “Modes” These use other crypto building blocks to solve certain problems with block ciphersThese use other crypto building blocks to solve certain problems with block ciphers How do we handle partial blocks?How do we handle partial blocks? –Not all digital data will fit exactly into the blocks –How do we do a ‘real’ stream cipher with a block cipher? Also – There is a ‘patterning’ problemAlso – There is a ‘patterning’ problem –If you just use the block cipher directly, you may leak information through patterns in the encrypted data
March R. Smith - University of St Thomas - Minnesota “Straight” Crypto – ECB Mode Just apply the key to the plaintextJust apply the key to the plaintext Block after block after blockBlock after block after block
March R. Smith - University of St Thomas - Minnesota Penguin using Straight Crypto BEFORE:AFTER:
March R. Smith - University of St Thomas - Minnesota What We Want BEFORE:AFTER:
March R. Smith - University of St Thomas - Minnesota What’s the problem? The blocks themselves form patternsThe blocks themselves form patterns –We ‘leak’ information because of those patterns Also, it only works on whole blocksAlso, it only works on whole blocks –How do we encrypt partial blocks? –I.E. how do we make a block cipher into a stream cipher?
March R. Smith - University of St Thomas - Minnesota A Simple Idea: Key Autokey (OFB) The key stream is independent of the data streamThe key stream is independent of the data stream Sort of like a ‘stream cipher’ - can work bit by bitSort of like a ‘stream cipher’ - can work bit by bit The “Initialization Vector” – it’s a nonceThe “Initialization Vector” – it’s a nonce
March R. Smith - University of St Thomas - Minnesota OFB Decryption Basically identical to the encryption operationBasically identical to the encryption operation Start with the initialization vector (IV)Start with the initialization vector (IV) Generates the exact same key streamGenerates the exact same key stream
March R. Smith - University of St Thomas - Minnesota Another view of OFB The block cipher provides the PRNGThe block cipher provides the PRNG –The actual keystream varies with the key and the IV Block Cipher Algorithm Initialization Vector (IV) Plaintext Ciphertext Key
March R. Smith - University of St Thomas - Minnesota A variant: Cipher Feedback (CFB) Like OFB, but feeds forward the ciphertextLike OFB, but feeds forward the ciphertext –Keystream incorporates the ciphertext Like OFB, simple XOR to encryptLike OFB, simple XOR to encrypt
March R. Smith - University of St Thomas - Minnesota CFB Decryption Basically identical to the encryption operationBasically identical to the encryption operation Start with the initialization vector (IV)Start with the initialization vector (IV) Generates the exact same key streamGenerates the exact same key stream
March R. Smith - University of St Thomas - Minnesota Yet Another: Counter Mode (CTR) Like OFB, but uses a counter instead of chainingLike OFB, but uses a counter instead of chaining “Nonce” is a random data value; counter increments“Nonce” is a random data value; counter increments Like OFB, simple XOR to encryptLike OFB, simple XOR to encrypt
March R. Smith - University of St Thomas - Minnesota CTR Decryption Basically identical to the encryption operationBasically identical to the encryption operation Start with the initialization vector (IV)Start with the initialization vector (IV) Generates the exact same key streamGenerates the exact same key stream
March R. Smith - University of St Thomas - Minnesota A Popular Choice: CBC Kind of Rube Goldberg-ishKind of Rube Goldberg-ish Each block of plaintext is mixed with the previous block of ciphertext before encryptionEach block of plaintext is mixed with the previous block of ciphertext before encryption Again, uses an IVAgain, uses an IV
March R. Smith - University of St Thomas - Minnesota CBC Decryption Start with the initialization vector (IV)Start with the initialization vector (IV) XOR with decrypted ciphertext to yield plaintextXOR with decrypted ciphertext to yield plaintext “Error extension” - how do errors propagate?“Error extension” - how do errors propagate? Can we “mix and match” blocks?Can we “mix and match” blocks?
March R. Smith - University of St Thomas - Minnesota Quick Overview of Modes Seen HereSeen Here –Codebook – the non-mode –OFB – gives us a basic stream cipher –CFB – Feeds back the ciphertext, not the keystream –CTR – reasonable choice for disk drive encryption –CBC – complicated and popular OthersOthers –XEX – supercharged CTR mode, used in TrueCrypt
March R. Smith - University of St Thomas - Minnesota In Class group exercise Four groups, 4 problemsFour groups, 4 problems –For each: Is the output obviously messed up?Is the output obviously messed up? Does the output ever get back to normal?Does the output ever get back to normal? If so, how much output gets affected (#bits, #blocks)?If so, how much output gets affected (#bits, #blocks)? 1.Swap two blocks in CBC 2.Ciphertext flips 1 bit in CBC 3.Swap two blocks in CTR 4.Ciphertext flips 1 bit in CTR
March R. Smith - University of St Thomas - Minnesota Desktop Crypto Implementations File encryptionFile encryption –User controlled; sharing and separation on computer Hard drive encryptionHard drive encryption –Done in hardware, no real user control Volume encryptionVolume encryption –Done in software; no real user control Policy implications!Policy implications!
March R. Smith - University of St Thomas - Minnesota Operating System Structure Pieces of the OS, related to I/O systemPieces of the OS, related to I/O system –File system –Device drivers Drivers are flexible partDrivers are flexible part File system and API give a standard ‘view’ of hard drives to user programsFile system and API give a standard ‘view’ of hard drives to user programs
March R. Smith - University of St Thomas - Minnesota Volume encryption Device driver encrypts data written to the driveDevice driver encrypts data written to the drive Can’t boot without a password/phrase/keyCan’t boot without a password/phrase/key Users can steal from each otherUsers can steal from each other –Trojan horse issue Everything is safe if volume is stolenEverything is safe if volume is stolen –(and key is unknown)
March R. Smith - University of St Thomas - Minnesota Hard drive encryption Fast crypto built into hard driveFast crypto built into hard drive Users can steal from each otherUsers can steal from each other Crypto is harder to disableCrypto is harder to disable Problem: how do we handle the key?Problem: how do we handle the key?
March R. Smith - University of St Thomas - Minnesota Structure Alternatives Hard drive encryptionHard drive encryption –At hardware level –Outside/beyond device driver Volume encryptionVolume encryption –At device driver level –File system sees a normal drive
March R. Smith - University of St Thomas - Minnesota Software Crypto Dilemmas How do we keep the crypto safe?How do we keep the crypto safe? –What can ‘they’ subvert Subversion examplesSubversion examples –File encryption –Hard drive encryption Access control protectionsAccess control protections
March R. Smith - University of St Thomas - Minnesota Cipher block modes The images all came from the Wikipedia entry on Block Cipher Modes The Penguin image was produced by and The GIMP if someone asks. Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
March R. Smith - University of St Thomas - Minnesota
March R. Smith - University of St Thomas - Minnesota
March R. Smith - University of St Thomas - Minnesota Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.