David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 6: Striving for Confusion Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system. Lexar Corporation, “An Evalution of the DES”, 1976.

8 February 2005University of Virginia CS 5882 Menu PS1 Question 4b –Will return PS1 Thursday DES Strengthening DES Breaking DES

8 February 2005University of Virginia CS 5883 Permutation Cipher How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation chosen randomly from all possible permutations?

8 February 2005University of Virginia CS 5884 Key Space Random Permutation 8! Keys Perfect Cipher Keyspace Theorem:  Cannot transmit more than 8! different message securely

8 February 2005University of Virginia CS ! Messages M = { ABCDEFGH, BACDEFGH, CABDEFGH, DABCEFGH, EABCDFGH, … } Why couldn’t you also include IJKLMNOP? What if there were only 2 alphabet symbols? (Note: can transmit as many blocks as you want) Midterm Question

8 February 2005University of Virginia CS 5886 Feistel Cipher Recap Plaintext Round L0L0 R0R0  F K1K1 L1L1 R1R1 Last time: - Decryption works, as long as the keys are used in reverse order - Can provide confusion and diffusion (because of permutation), but only if F is confusing Substitution Permutation

8 February 2005University of Virginia CS 5887 DES NIST (then NBS) sought standard for data security (1973) IBM’s Lucifer only reasonable proposal Modified by NSA –Changed S-Boxes –Reduced key from 128 to 56 bits Adopted as standard in 1976 More bits have been encrypted using DES than any other cipher

8 February 2005University of Virginia CS 5888 DES Algorithm Feistel cipher with added initial permutation Complex choice of F 16 rounds 56-bit key, shifts and permutations produce 48-bit subkeys for each round

8 February 2005University of Virginia CS 5889 DES’s F Expand and Permute (using E table) 32 bits 48 bits  KnKn Substitute (using S boxes) 32 bits Permutation The goal is confusion!

8 February 2005University of Virginia CS S-Boxes S-Box 6 bits 4 bits Example: Critical to security NSA changed choice of S-Boxes Only non-linear step in DES 64 entry lookup table E(11)  E(01) + E(10)

8 February 2005University of Virginia CS DES Avalanche Input: *1 Permuted: * Round 1: * Round 2:.*..*...*.....* * Round 3:.*..*.*.**..*.*.*.*....**.....**.*..*...*.....* Round 4:..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28 Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......* Round 6:...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26 Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11:..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...* *.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...* *. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16:.*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output:..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**. Source: Willem de Graaf,

8 February 2005University of Virginia CS Key Schedule Need bit keys –Best security: just use 16 independent keys –768 key bits 56-bit key used (64 bits for parity checking) –Produce 48-bit round keys by shifting and permuting

8 February 2005University of Virginia CS DES Keys K i = PC (Shift (Left (K i-1 )) || Shift (Right (K i-1 ))) Key Shift (1 or 2 bits) 56 bits 28 bits Compress/Permute KnKn Next round Are there any weak keys?

8 February 2005University of Virginia CS Is DES a perfect cipher? No: more messages than keys Even for 1 64-bit block 2 64 messages > 2 56 keys

8 February 2005University of Virginia CS Attacking DES: Brute Force Key is 56 bits 2 56 = 7.2 * = 72 quadrillion Try 1 per second = 9 Billion years to search entire space Distributed attacks –Steal/borrow idle cycles on networked PCs –Search half of key space with PCs * 1M keys/second in 25 days

8 February 2005University of Virginia CS Brute Force Attacks RSA DES challenges: –1997:96 days (using 70,000 machines) –Feb 1998: 41 days (distributed.net)

8 February 2005University of Virginia CS Multiple Encryption

8 February 2005University of Virginia CS Multiple Encryption C = E K2 (E K1 (P)) Does it double the key space? Monoalphabetic cipher C i = K 2 [K 1 [P i ]] = K 3 [P i ] for some K 3

8 February 2005University of Virginia CS Double-Vigenère C = E K2 (E K1 (P)) Vigenère: C i = (P i + K i mod N ) mod Z C i = ((P i + K1 i mod N1 mod Z) + K2 i mod N2 ) mod Z = (P i + K1 i mod N1 + K2 i mod N2 ) mod Z if N1 = N2 : = (P i + K3 i mod N ) mod Z(K3 = K1 + K2) what if N1  N2 ?

8 February 2005University of Virginia CS Double-Vigenère K1 = "BOND" K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND +JAMESJAMESJAMESJAMESJAMESJAM =KOZHTXNPFGWDNSFMBARVKOZHTXNP Effective key length: LCM (N1, N2) = 20

8 February 2005University of Virginia CS Double DES C = E K2 (E K1 (P)) Is there a K3 such that C = E K3 (P) ? –There are 2 56 keys, and 2 64 ! mappings –If DES is good, keys map randomly to mappings. –Probability that a randomly chosen mapping corresponds to a DES key: 2 56 / 2 64 ! << 1 / 2 63 ! Effective key size of Double DES? = 2 56 * 2 56 = WRONG!

8 February 2005University of Virginia CS Known Plaintext Attack P E E K1K1 K2K2 C P E try all possible keys X K1 X K2 X K2 56 C D try all possible keys Y K1 Y K2 Y K2 56 One X Ki = Y Kj means K 1 = K i and K 2 = K j

8 February 2005University of Virginia CS Meet-in-the-Middle Attack C = E K2 (E K1 (P)) X = E K1 (P) = D K2 (C) Brute force attack (given one P/C pair): calculate E K1 (P) for all keys (2 56 work) calculate D K2 (C) for all keys (2 56 work) the match gives the keys Total work = 2 * 2 56 = 2 57

8 February 2005University of Virginia CS Hmmm…maybe thrice?

8 February 2005University of Virginia CS Key Triple DES C = E K1 (D K2 (E K1 (P))) Why D K2 not E K2 ? –Backwards compatibility with DES –If K1 = K2: C = E K1 (D K1 (E K1 (P))) = E K1 (P) Actual key size = bits = 112 bits Meet-in-the-middle? –X = E K1 (P) = D K1 (E K2 (C)) 2 56 need to try 2 112

8 February 2005University of Virginia CS How secure is Triple-DES Brute force search: keys –Best DES attack: 245 B keys/second –  6.7 * years (compared to 22 hours) –10 11 years = total lifetime of universe (closed universe theory) Best known attack - reduces to log 2 n –n = number of known P-C pairs –n = 2 64, work is 2 56 Realistic?

8 February 2005University of Virginia CS Key Triple DES C = E K3 (D K2 (E K1 (P))) H(K) = 168 Used by PGP, S/MIME How much work to brute-force? –Meet-in-the-middle: X = D K3 (C) = D K2 (E K1 (P))

8 February 2005University of Virginia CS Cracking DES (1998) 90B keys per second Cost < $250K (in 1998) 56 hours to solve RSA DES Challenge

8 February 2005University of Virginia CS Cracking DES (2001) Mike Bond, Richard Clayton (University of Cambridge PhD Students) IBM 4578 “Cryptoprocessor” (used in banking security – generates PINs from account numbers) $995 for custom FPGA 20 hours to extract key Meet-in-the-middle attack (we’ll discuss this next class)

8 February 2005University of Virginia CS Cracking DES (2005) Girish Ratanpal

POWER ANALYSIS ATTACKS Girish Ratanpal Electrical & Computer Engineering UVA

8 February 2005University of Virginia CS The Problem Mathematically secure Cryptographic algorithms. Implementations leak out information. Side-channels –Execution time –Power consumption –Radio frequencies –Electric/magnetic fields

8 February 2005University of Virginia CS The Power consumption side- channel Correlation between operation and power consumed. –E.g. MOV 0 v/s MOV FF Correlation between power consumed and bit transitions at the output of gates. –E.g. 0  1 v/s 1  0

8 February 2005University of Virginia CS DPA attack on DES Guess the 6- bit sub-key of K16 Determine C i, L15[0] Determine selection function D(C i, b, K16)

8 February 2005University of Virginia CS DES attack contd. Collect power traces with k time samples for m cipher-texts. Divide the traces into two sets T0 and T1 using the selection function. Compute the average. -this is the DPA trace

8 February 2005University of Virginia CS S[k] with Correct Guess

8 February 2005University of Virginia CS S[k] with Incorrect Guess

8 February 2005University of Virginia CS Subkey for SBOX-5

8 February 2005University of Virginia CS Existing Countermeasures 1.Noise Insertion: Directly reduces SNR of S[k]. 2.Temporal De-synchronization Randomly varying clock Dummy instructions Randomized instruction stream 3.Algorithmic Countermeasure Intermediate results masking 4.Supply Current Shielding Off-chip capacitors

8 February 2005University of Virginia CS Existing Countermeasures Algorithmic & Temporal De- synchronization – affect implementation Need for a solution that –Puts minimal constraints on hardware implementation –Can be integrated on-chip

8 February 2005University of Virginia CS Suppression circuit Voltage sensed by R sense Current feedback to keep voltage constant. C filter for high frequency components.

8 February 2005University of Virginia CS Result of Suppression

8 February 2005University of Virginia CS DPA on Protected Device

8 February 2005University of Virginia CS Charge Deadline for project proposals delayed until Feb 17 –Start using the forum to find project teams PS2 out today, due next Tuesday –Read the attached paper before Thursday’s class –We’ll talk about it Thursday