1 Introduction to Information Security , Spring 2015 Lecture 6: Applied cryptography: symmetric Eran Tromer Slides credit: John Mitchell, Stanford
2 Cryptography overview
3 History of crypto Ceaser cipher Electromechanical ciphers (e.g., Enigma) Information theory Complexity theory Modern cryptography
4 Cryptography Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent yourself unless you spend a lot of time becoming an expert you subject your design to outside review
5 Scenarios Storage Store files privately Protect files from tampering Communication Avoid eavesdropping Avoid corruption “Secure channel” Authentication Many protocols
6 Cryptographic primitives Primitive: syntax and semantics of some cryptographic functionality. A scheme/protocol/algorithm may be an instance of the primitive. Example claim: “AES-128-CBC is a secure symmetric encryption scheme”. Most common cryptographic primitives (very informally): Encryption: confidentiality Adversary cannot learn anything about message from its encrypted form. Symmetric (cipherblock ciphers, stream ciphers) Asymmetric Digital Signatures: integrity/authentication Adversary cannot fake a signature that passes verification. Symmetric (Message Authentication Code) Asymmetric Hashing: Summarizing messages into “unique” short digests Adversary cannot find messages with the same digest.
7 Symmetric cryptography schemes
8 Symmetric encryption 8 E, D: cipher k:secret key (e.g., 128 bits) m:plaintext n:nonce / randomness / c:ciphertextinitial vector (IV) Kerckhoff’s Principle A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. (Never use a proprietary cipher) Alice E m, n E(k,m,n)=c Bob D c,n D(k,c,n)=m k k Key generation
9 9 First example: One Time Pad (single use key) Vernam (1917) Shannon (1949) : OTP is “secure” against ciphertext-only attacks Key: Plaintext: Ciphertext:
10 10 Stream ciphers (single use key) Problem: OTP key is as long the message Solution: XOR with a pseudorandom seed: key PRBG message ciphertext c PRBG (k) m stream Really random (physical source) Pseudorandom string PRBG: “Pseudo-Random Bit Generator” AKA PRG: “Pseudo-Random Generator” Well-known algorithms: RC4, RC5 (not secure anymore), AES in counter mode
11 RC4 stream cipher [Rives 1987] for i = : S[i] = i j = 0 for i = 0 to 255 j = j + S[i] + key[i] swap (S[i], S[j]) i, j = 0 repeat: i = i + 1 j = j + S[i] swap (S[i], S[j]) output to stream: S[ S[i] + S[j] ] Key setup … … Permutation of 256 bytes, depending on key … ji All values are bytes, all arithmetic is mod 256. S is a 256-byte state array. +24 Problem: statistical biases, especially in beginning of stream. Stream generator
12 Dangers in using stream ciphers One time key! “Two time pad” is insecure: C 1 m 1 PRBG(k) C 2 m 2 PRBG(k) Eavesdropper does: C 1 C 2 m 1 m 2 Enough redundant information in English that: m 1 m 2 m 1, m 2
13 Randomized symmetric encryption13 E, D: cipher k:secret key (e.g., 128 bits) m:plaintext n:nonce / randomness / c:ciphertextinitial vector (IV) (Notation: sometimes the nonce is included in c.) Alice E m, n E(k,m,n)=c Bob D c,n D(k,c,n)=m k k Key generation
14 Need for nonce Single-use key: (one time key) Key is only used to encrypt one message encrypted new key generated for every No need for nonce (set to 0) Multi-use key: Key used to encrypt multiple messages SSL: same key used to encrypt many packets Needs either unique nonce or random nonce Otherwise, repeated messages can be identified Multi-use key, but all plaintexts are distinct: Can eliminate nonce using special mode (SIV) 14
15 Block ciphers: crypto work horse E, D Cciphertext blockPlaintext block Key Deterministic; random IV can be supplied as part of plaintext block in a mode of operation (see next).). Efficiency and security optimized for the specific block size. Historically, more secure and easier to analyze than traditional stream ciphers. Works on fixed-size blocks: Common sizes: Cipher DES6456 3DES64168 AES128128/192/256
16 Building a block cipher m L m R m R m L F(k,m R )
17 AES Block Cipher (on a napkin) Source:
18 Block Ciphers Built by Iteration R(k,m): round function for DES (n=16), for AES (n=10) key k key expansion k1k1 k2k2 k3k3 knkn R(k 1, )R(k 2, )R(k 3, )R(k n, ) mc
19 19 Incorrect use of block cipher: ECB (Electronic Codebook) mode Break plaintext into blocks and encrypt independently: Problem: if m 1 =m 2 then c 1 =c 2 PT: CT: m1m1 m2m2 c1c1 c2c2
20 In pictures [visual comparison by Bart Preneel]
21 Correct use of block ciphers I: CBC (Cipher Block Chaining) mode E(k, ) m[0]m[1]m[2]m[3]IV E(k, ) c[0]c[1]c[2]c[3]IV ciphertext Assume E is a secure “pseudorandom permutation” (i.e., a good block cipher). To encrypt a plaintext message m whose size is a multiple of the block size: Q: how to do decryption? To handle messages of different length, use suitable padding.
22 Use cases: how to choose an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message (IV X) Can use unique IV(e.g counter) [Bitlocker] but then first step in CBC must be IV’ E(k,IV) benefit: may save transmitting IV with ciphertext Multi-use key, but unique messages SIV: eliminate IV by setting IV F(k’, PT) F: secure PRF with key k’ 22
23 CBC with Unique IVs E(k, ) m[0]m[1]m[2]m[3] E(k, ) c[0]c[1]c[2]c[3]IV ciphertext IV E(k, ) IV ′ unique IV means: (k,IV) pair is used for only one message may be predictable so use E(k, ) as PRF
24 In pictures
25 Correct use of block ciphers II: CTR (Counter) mode Encrypt a counter to create a pseudorandom string (similar to stream cipher). These “modes of operations” are proven secure (under suitable definitions). Advantage: allows parallel encryption. key message stream E(k, ) IVIV+1IV+2IV+3 E(k, ) IV ciphertext (random)
26 Performance of ciphers OpenSSL on 2.1GHz Intel i7, 64-byte messages. To benchmark on your computer: $ openssl speed rc4 des-cbc des-ede3 idea-cbc aes-128-cbc Fast, but still bottleneck for: Applications applying crypto at high bandwidth with little processing (web servers, bulk storage encryption, virtual private networks) Small devices (weak CPU, power-limited) Cheaper/faster with dedicated hardware AES instructions in recent x86 Dedicated “cryptographic accelerator” cards AlgorithmSpeed (Mbyte/sec) Block size (bits) Key size (bits) RC4657unlimited DES DES IDEA AES142128
27 Attacks and security definitions What power does the adversary have? Known-ciphertext attack Chosen-ciphertext attacks (CCA) Known-plaintext attack Chosen-plaintext attack (CPA) Chosen before target ciphertext Chosen after target ciphertext Related-key attack What secrecy is preserved? Key remains secret Adversary can learn nothing about a message from observing its encryption For random messages Even if it’s an encryption of one of two messages chosen by adversary, he can’t tell which one it is
28 Hash functions and message integrity
29 Cryptographic hash functions Length-reducing function H Map arbitrary strings to strings of fixed length One way (“preimage resistance”) Given y, hard to find x with H(x)=y Collision resistant Hard to find any distinct m, m’ with H(m)=H(m’) Also useful: 2 nd preimage resistance Given x, hard to find x’ x with H(x’)=H(x) Collision resistance 2 nd preimage resistance preimage resistance
30 Applications of cryptographic hashing Password files (one way) Digital signatures (collision resistant) Sign hash of message instead of entire message Data integrity Compute and securely store hash of some data Check later by recomputing hash and comparing Keyed hash for message authentication MAC – Message Authentication Code
31 Common hash functions: SHA-1, SHA-256 m[0]m[1]m[2]m[3] IV constant H(m) Merkle-Damgard construction:(simplified) 64 x Fixed constants (Expanded) message hhhh Compression function:
32 Performance of hash functions OpenSSL on 2.1GHz Intel i7, 64-byte messages. To benchmark on your computer: $ openssl sha1 sha256 AlgorithmSpeed (Mbyte/sec) Block size (bits) Key size (bits) RC4657unlimited DES DES IDEA AES SHA-1197 SHA
33 Symmetric-key integrity: MAC (Message Authentication Code) Goal: message integrity. No confidentiality. 33 AliceBob kk Message mtag Generate tag: tag S(k, m) Verify tag: V(k, m, tag) = 0/1 ? Note: non-keyed checksum (CRC) is an insecure MAC! Key generation Common nickname for “signature” in symmetric setting
34 Secure MACs Attacker’s power: chosen message attack. for m 1,m 2,…,m q attacker is given t i S(k,mi) Attacker’s goal: existential forgery. produce some new valid message/tag pair (m,t). (m,t) { (m 1,t 1 ), …, (m q,t q ) } Existential unforgeability security: no feasible attacker can witn the above game with more than negligible probability.
35 MAC Construction 1: ECBC 35 Raw CBC E(k, ) m[0]m[1]m[2]m[3] E(k, ) E(k 1, ) tag key = (k, k 1 )
36 36 MAC Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( k opad || H( k ipad || m ))
37 37 Construction 3: PMAC – parallel MAC ECBC and HMAC are sequential. PMAC: m[0]m[1]m[2]m[3] F(k, ) F(k 1, ) tag P(k,0)P(k,1) P(k,2) P(k,3)
38 Authenticated (symmetric) Encryption: combining confidentiality and authentication Attaining AE: Compose existing primitives Encrypt-and-MAC (as in SSH) MAC-then-encrypt (as in TLS) Encrypt-then-MAC (as in IPsec, best in theory) Examples: AEAD_AES_128_CBC_HMAC_SHA256, AEAD_CHACHA20_POLY1305 Disadvantage: requires two passes over data, one for encryption and one for MAC/hash From-scratch authenticated ciphers Grain-128a, NORX, … AE mode of operations using existing block ciphers CCM, GCM (NIST-standardized) OCB (patented), AEX, … Ongoing competition: (57 submissions) AES-GCM is nowadays a good conservative choice, reasonably efficient