Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Computer and Network Security

Published byJemima Payne Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Computer and Network Security"— Presentation transcript:

1 15-349 Introduction to Computer and Network Security
Iliano Cervesato 31 August 2008 – Symmetric Encryption

2 Where we are Course intro Cryptography Program/OS security & trust
Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols Program/OS security & trust Networks security Beyond technology

3 Outline Shared-key cryptography – Review
The Data Encryption Standard - DES Feistel networks How DES works Attacks and weaknesses 3DES and variants The Advanced Encryption Standard - AES The AES contest How AES works Encrypting long messages Block ciphers Stream ciphers One-time pad Random number generators RC4

4 Symmetric Encryption Schemes
(K, E, D) Key generation algorithm K :   {0,1}k Encryption algorithm E : {0,1}a x {0,1}k  {0,1}c Ek : {0,1}a  {0,1}c Decryption algorithm D: {0,1}c x {0,1}k  {0,1}a Dk : {0,1}c  {0,1}a

5 Functional requirements
E, D : {0,1}n x {0,1}k  {0,1}n Dk(Ek(m)) = m For every k, Ek is an injection with inverse Dk Ek(m) is easy to compute, given m and k Dk(x) is easy to compute, given x and k Polynomial in max{n,k} - often linear If x = Ek(m), it is hard to find m without k Exponential in k

6 Symmetric Encryption Dk(Ek(m)) = m E D Encrypted message (ciphertext)
box Decryption box Encrypted message (ciphertext) Encrypted message (ciphertext) E M X D X M k Message (cleartext) Message (cleartext) Secret key Dk(Ek(m)) = m

7 Exclusive OR Fundamental operation of many ciphers Properties
y  y = 0 y  0 = y y  1 = y y  z  z = y 1 y  z z y

8 DES - Data Encryption Standard
Secure civilian encryption scheme Standardized Design approach 1972: NBS call for proposals 1974: interest in IBM’s Lucifer approach Analyzed by DoD and enhanced by NSA Worries of backdoors 1976: adopted as standard 4 years + IBM’s work

9 Black-box view of DES Message blocks: 64 bits Keys: 56 bits – fixed!
Speed Uses only standard arithmetic/logical operations Software: 43,000 block/sec ~ 2.7 Mbit/sec Measured on an old at 66MHz OK for files and web pages Too slow for sound and video Hardware: 16.8 million block/sec ~ 1 Gbit/sec High speed Ethernet: 100 Mbit/sec Modem: 56 Kbit/sec Clear- text block Cipher- text block DES 64 64

10 Feistel Networks f1, …, fk : {0,1}n  {0,1}n Arbitrary functions
n bits n bits L0 : R0 : f1 Round 1 f1, …, fk : {0,1}n  {0,1}n Arbitrary functions Not necessarily invertible L1 : R1 : f2 Round 2 Lk-2 : Rk-2 : Li = Ri-1 Ri = Li-1  fi(Ri-1) fk-1 Round k-1 Lk-1 : Rk-1 : fk Round k Lk : Rk :

11 Inverting a Feistel Network
Theorem For any f1, …, fk : {0,1}n  {0,1}n, a Feistel network computes a permutation p : {0,1}n  {0,1}n f1 f2 fk-1 fk L0 : R0 : L1 : R1 : Lk-2 : Rk-2 : Lk-1 : Rk-1 : Lk : Rk : Li-1 = Ri  fi(Li) Ri-1 = Li Inverse: Feistel networks convert generic functions into permutations

12 16-round Feistel Network
Inside DES cleartext DES is a Feistel network with 16 rounds 64 bit cleartext blocks 56 bits key f1, …, f16 derived from key Initial permutation p (public) Decryption Apply f16, …, f1 (in reverse order) Same chip 64 p key 64 16-round Feistel Network 56 64 p-1 64 ciphertext

13 The Functions fi fi(x) = F(x, ki) ki derived from k
Public key schedule F: {0,1}32 x {0,1}48  {0,1}32 is public ½ block x expanded to x’ Public replicator r S-boxes Sj are public … where the magic happens Rationale was kept secret Final permutation p’ is public Shuffles input for next round 32 48 bits r 56 bits x’ 48 48 48 6 6 6 6 6 6 6 6 S1 S2 32 bits 48 bits S3 S4 S5 S6 S7 S8 4 4 4 4 4 4 4 4 6 bits  4 bits 32 p’ 32 F(x, ki)

14 Security of DES Differential cryptanalysis Key length
Observe effects of Little changes in input Little changes to algorithms DES found optimal Key length 56 bits was fine in the 70’s Not now … Moore’s law

15 Attacks on DES Exhaustive search However … More sophisticated attacks
Given plaintext m and ciphertext x, with high probability there is a single key k s.t. x = DES(m,k) Trying 106 keys/sec, it takes 2,000 years However … 1998, $130,000 homemade supercomputer breaks DES in 112 hours (CPA) More sophisticated attacks Use properties (e.g. DES(m,k) = DES(m,k)) Linear / differential crypto-analysis

16 Avoiding Exhaustive Search–3DES
DES is not a group Given k1, k2, with high probability there is no k3 s.t. Ek1(Ek2(m)) = Ek3(m) for every m 3DESk1,k2,k3(m) = Ek1(Ek2(Ek3(m))) Key length: 112 bits Very popular DES encryption DES encryption DES encryption

17 How about a 2DES? 2DESk1,k2(m) = Ek1( Ek2(m)) ??
Meet-in-the-middle attack! E m X D X1 X2 56 m1 m2 Try all possible keys = ? For key length n, total work is “only” n + 2n = 2n+1 Effective key length is just 57 bits! Applies to any encryption algorithm

18 2.5DESk1,k2(m) = Ek1(Dk2(Ek1(m)))
Another variant – 2.5-DES 2.5DESk1,k2(m) = Ek1(Dk2(Ek1(m))) Effective key length: 80 bits DES encryption DES encryption DES decryption

19 DESXk1,k2,k3(m) = k1  Ek2(m  k3)
DES encryption DESXk1,k2,k3(m) = k1  Ek2(m  k3) Key length: *64 = 184 bits However, effective key length is only about 100 bits

20 AES – a Successor to DES 1996: NIST issues public call for proposal
Advanced Encryption Standard 1996: NIST issues public call for proposal Secure for next years Block cipher faster than 3DES Variable key lengths (128, 192, 256, … bits) Open design Exportable world-wide 1998: 15 algorithms selected 1999: 5 finalists Public (and private) crypto-analysis for 4 years

21 Oct. 2000: AES Contest Winner
Rijndael, by J. Daemen and V. Rijmen Fast (~18-20 cycles to encrypt a byte) Bit operations: , shift, addition, … Small (98 Kb) Well understood characteristics Based on mathematics (Galois fields) Officially adopted as AES in Dec. 2001

22 Black-box view of AES Message blocks: 128 bits
key 128+ Clear- text block Cipher- text block AES 128 128 Message blocks: 128 bits Keys: 128, 192, 256 bits But Rijndael allows any multiple of 64 bits Extensible if necessary

23 Inside AES … Number of rounds varies with key size
128, 192, 256 k1 128 k2 128 kn 128 input output 128 Round 1 128 Round 2 128 128 Round n 128 n rounds (n = 10, 12, 14) Number of rounds varies with key size More for longer keys

24 How AES round i works x m: ki (rearrangement) Byte substitution
Next round b’0 b’4 b’8 b’12 b’1 b’5 b’9 b’13 b’2 b’6 b’10 b’14 b’3 b’7 b’11 b’15 Byte substitution x 2 3 1 b’14 222 s0 s4 s8 s12 s1 s5 s9 s13 s2 s6 s10 s14 s3 s7 s11 s15 Row shift ki x0 x4 x8 x12 x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 Add round key

25 AES Vulnerabilities None discovered so far Extensive public scrutiny
4 years before adoption as standard 7 years of public use so far

26 Encrypting Long messages
Most algorithms operate on fixed sizes 64 bits for DES 128 bits for AES Block ciphers Slice m into m1, …, mn Add padding to last block Use Ek to produce x1, …, xn Use Dk to recover m1, …, mn Stream ciphers Rely on pseudo-random sequence

27 Electronic Codebook Mode – ECB
Any identical block encrypted identically Lots of ciphertext with the same k Dictionary attack Attacker records blocks Substitute them back when appropriate Encryption guarantees secrecy, not integrity Ek m: x: n bits

28 Cipher Block Chaining – CBC
Encryption x1 = Ek(m1  IV) xi = Ek(mi  xi-1) Decryption m1 = Dk(x1)  IV mi = Dk(xi)  xi-1 Widely used E.g IPSec Ek m: x: n bits IV Initialization Vector

29 Output Feedback Mode – OFB
Encryption xi = mi  Ek(IV)i Decryption mi = xi  Dk(IV)i NB: encryption is never applied to m m: x: n bits IV Initialization Vector Ek Ek Ek

30 One-Time Pad Ek(m) = m  k Dk(x) = x  k Requires |m| = |k| Very fast
Perfect secrecy Prob[guessing m] = Prob[guessing m|x] k should never be reused again! x1 = m1  k x2 = m2  k k very large for long messages How to distribute it? x1  x2 = m1  m2

31 Pseudo-Random Bit Generators
Deterministic functions RNG : {0,1}n  {0,1} Stretch fixed-size seed to an unbounded sequence that looks random Computable approximation of one-time pad Example: RC4 Example: i := 0 do forever i := i+1 mod 256 j := j+s[I] mod 256 swap s[i],s[j] t := s[i]+s[j] mod 256 output s[t] Seed: initial value of s Size of state: (2256)256

32 Ek(m) = DESk(s) , m  RNG(s)
Stream Ciphers One-time pad using a RNG Use k as seed? Ek(m) = m  RNG(k) Reuse problem! Typical usage (e.g., with DES) Ek(m) = DESk(s) , m  RNG(s) Chose new s each time strong fast

Download ppt "Introduction to Computer and Network Security"

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Network Security Lecture 14 Presented by: Dr. Munam Ali Shah.

Network Security Lecture 14 Presented by: Dr. Munam Ali Shah.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Similar presentations

Ads by Google