1. Foundations of Network and Computer Security J J ohn Black Lecture #4 Sep 1 st 2005 CSCI 6268/TLEN 5831, Fall 2005

2. Announcements Please sign up for class mailing list Office Hours on Weds, now 2:30-3:20pm instead of at 4pm Quiz #1 will be on Thursday, Sep 8 th –About 30 mins –At end of class –Office hours day before and morning of –Covers all lecture materials and assigned readings

3. DES -- Feistel Construction IP – Initial permutation swaps bits around for hardware purposes Adds no cryptographic strength; same for FP Each inner application of F and the XOR is called a “round” F is called the “round function” The cryptographic strength of DES lies in F DES uses 16 rounds

4. One Round Key LiLi RiRi F R i+1 L i+1 Each half is 32 bits Round key is 48 bits Is this a permutation (as required)? How do we invert? Note that F need not be invertible with the round key fixed

5. Why so many Rounds? Can we just have one round of Feistel? –Clearly this is insecure How about two rounds? –Expect to be asked a related question on the first quiz DES has 16 rounds –It’s easily broken with 8 rounds using “differential cryptanalysis”

6. The DES Round Function

7. DES Round Function (cont) F takes two inputs –32 bit round value –48 bits of key taken from 56 bit DES key A different subset of 48 bits selected in each round –E is the “expansion” box Turns each set of 4 bits into 6, by merely repeating some bits –S boxes take 6 bits back to 4 bits Non-linear functions and they are the cryptographic heart of DES S-boxes were tweaked by NSA back in the 70’s It is believed that they IMPROVED DES by doing this

8. Full Description of DES If you want all the gory details http://en.wikipedia.org/wiki/DES Challenge Problem: –Alter the S-boxes of DES any way you like so that with ONE plaintext-ciphertext pair you can recover all 56 key bits –(Warning: you need some linear algebra here)

9. So if not DES, then what? Double DES? Let’s write DES(K, P) as DES K (P) Double DES (DDES) is a 64-bit blockcipher with a 112 bit key K = (K1, K2) and is DDES K (P) = DES K2 (DES K1 (P)) We know 112 bits is out of exhaustive search range… are we now secure?

10. Meet in the Middle Attack With enough memory, DDES isn’t much better than single DES! Attack (assume we have a handful of pt-ct pairs P1,C1; P2, C2; …) –Encipher P1 under all 2 56 possible keys and store the ciphertexts in a hash table –Decipher C1 under all 2 56 possible keys and look for a match –Any match gives a candidate 112-bit DDES key –Use P2, C2 and more pairs to validate candidate DDES key until found

11. Meet in the Middle (cont) Complexity –2 56 + 2 56 = 2 57 DES operations –Not much better than the 2 55 expected DES operations for exhaustive search! –Memory requirements are quite high, but there are techniques to reduce them at only a slightly higher cost –End result: no one uses DDES

12. How about Triple-DES! Triple DES uses a 168-bit key K=(K1, K2, K3) TDES K (P) = DES K3 (DES K2 (DES K1 (P))) No known attacks against TDES –Provides 112-bits of security against key-search –Widely used, standardized, etc –More often used in “two-key triple-DES” mode with EDE format (K is 112 bits like DDES): TDES K (P) = DES K1 (DES -1 K2 (DES K1 (P))) –Why is the middle operation a decipherment?

13. AES – The Advanced Encryption Standard If TDES is secure, why do we need something else? –DES was slow –DES times 3 is three times slower –64-bit blocksize could be bigger without adding much cost –DES had other annoying weakness which were inherited by TDES –We know a lot more about blockcipher design, so time to make something really cool!

14. AES Competition NIST sponsored a competition –Individuals and groups submitted entries Goals: fast, portable, secure, constrained environments, elegant, hardware-friendly, patent- free, thoroughly analyzed, etc –Five finalists selected (Aug 1999) Rijndael (Belgium), MARS (IBM), Serpent (Israel), TwoFish (Counterpane), RC6 (RSA, Inc) –Rijndael selected (Dec 2001) Designed by two Belgians

15. AES – Rijndael Not a Feistel construction! –128 bit blocksize –128, 192, 256-bit keysize –SP network Series of invertible (non-linear) substitutions and permutations –Much faster than DES About 300 cycles on a Pentium III –A somewhat risky choice for NIST

16. Security of the AES Some close calls last year (XL attack) –Can be represented as an overdetermined set of very sparse equations –Computer-methods of solving these systems would yield the key –Turns out there are fewer equations than previously thought –Seems like nothing to worry about yet

17. Block Ciphers – Conclusion There are a bunch out there besides AES and DES –Some are pretty good (IDEA, TwoFish, etc) –Some are pretty lousy LOKI, FEAL, TEA, Magenta, Bass-O-Matic If you try and design your own, it will probably be really really bad –Plenty of examples, yet it still keeps happening

18. Blockcipher Review DES –Old, 64-bit blocksize, 56 bit keys –Feistel construction –Never broken except for exhaustive key search AES –New, 128-bit blocksize, 128-256 bit keys –Non-Feistel –Fast, elegant, so far so good

19. Aren’t We Done? Blockciphers are only a start –They take n-bits to n-bits under a k-bit key –Oftentimes we want to encrypt a message and the message might be less than or greater than n bits! –We need a “mode of operation” which encrypts any M 2 {0,1} * –There are many, but we focus on three: ECB, CBC, CTR

20. ECB – Electronic Codebook This is the most natural way to encrypt –It’s what we used with the Substitution Cipher –For blockcipher E under key K: –First, pad (if required) to ensure M 2 ({0,1} n ) + –Write M = M 1 M 2 … M m where each M i has size n-bits –Then just encipher each chunk: C i = E K (M i ) for all 1 · i · m –Ciphertext is C = C 1 C 2 … C m

21. ECB (cont) What’s bad about ECB? –Repeated plaintext blocks are evident in the ciphertext Called “deterministic encryption” and considered bad This was the feature of the Substitution Cipher that allowed us to do frequency analysis Not as bad when n is large, but it’s easy to fix, so why not fix it! –Encrypting the same M twice will yield the same C Usually we’d like to avoid this as well

22. Goals of Encryption Cryptographers want to give up exactly two pieces of information when encrypting a message 1) That M exists 2) The approximate length of M The military sometimes does not even want to give up these two things! –Traffic analysis We definitely don’t want to make it obvious when a message repeats

23. CBC Mode Encryption Start with an n-bit “nonce” called the IV –Initialization Vector –Usually a counter or a random string Blockcipher E under key K, M broken into m blocks of n bits as usual –C 0 = IV –C i = E K (M i © C i-1 ) for all 1 · i · m EKEK EKEK EKEK M2M2 MmMm M1M1 IV C1C1 C2C2 CmCm

24. Features of CBC Mode Ciphertext is C = C 0 C 1 … C m –Ciphertext expansion of n-bits (because of C 0 ) Same block M i, or same message M looks different when encrypted twice under the same key (with different IV’s) No parallelism when encrypting –Need to know C i before we can encipher M i+1 –Decryption is parallelizable however CBC mode is probably the most widely-used mode of operation for symmetric key encryption

25. Digression on the One-Time Pad Suppose Alice and Bob shared a 10,000 bit string K that was secret, uniformly random –Can Alice send Bob a 1KB message M with “perfect” security? –1KB is 8,000 bits; let X be the first 8,000 bits of the shared string K –Alice sets C = M © X, and sends C to Bob –Bob computes C © X and recovers M Recall that M © X © X = M

26. Security of the One-Time Pad Consider any bit of M, m i, and the corresponding bits of X and C, (x i, c i ) –Then c i = m i © x i –Given that some adversary sees c i go across a wire, what can he discern about the bit m i ? Nothing! Since x i is equally likely to be 0 or 1 –So why not use the one-time pad all the time? Shannon proved (1948) that for perfect security the key must be at least as long as the message –Impractical

27. One-Time Pad (cont) Still used for very-top-secret stuff –Purportedly used by Russians in WW II Note that it is very important that each bit of the pad be used at most one time! –The infamous “two time pad” is easily broken Imagine C = M © X, C’ = M’ © X Then C © C’ = M © X © M’ © X = M © M’ Knowing the xor of the two messages is potentially very useful n-time pad for large n is even worse (WEP does this)

28. Counter Mode – CTR Blockcipher E under key K, M broken into m blocks of n bits, as usual Nonce N is typically a counter, but not required C 0 = N C i = E K (N++) © M i Ciphertext is C = C 0 C 1 … C m

29. CTR Mode Again, n bits of ciphertext expansion Non-deterministic encryption Fully parallelizable in both directions Not that widely used despite being known for a long time –People worry about counter overlap producing pad reuse

30. Why I Like Modes of Operation Modes are “provably secure” –Unlike blockciphers which are deemed “hopefully secure” after intense scrutiny by experts, modes can be proven secure like this: Assume blockcipher E is secure (computationally indistinguishable from random, as we described) Then the mode is secure in an analogous black-box experiment –The proof technique is done via a “reduction” much like you did in your NP-Completeness class –The argument goes like this: suppose we could break the mode with computational resources X, Y, Z. Then we could distinguish the blockcipher with resources X’, Y’, Z’ where these resources aren’t that much different from X, Y, and Z

31. Security Model Alice and Bob –Traditional names –Let’s us abbreviate A and B –Adversary is the bad guy This adversary is passive; sometimes called “eve” –Note also the absence of side-channels Power consumption, timing, error messages, etc Adversary Alice Key K Bob

32. Various Attack Models Known-Ciphertext Attack (KCA) –You only know the ciphertext –Requires you know something about the plaintext (eg, it’s English text, an MP3, C source code, etc) –This is the model for the Sunday cryptograms which use a substitution cipher Known-Plaintext Attack (KPA) –You have some number of plaintext-ciphertext pairs, but you cannot choose which plaintexts you would like to see –This was our model for exhaustive key search and the meet in the middle attack

33. Attack Models (cont) Chosen-Plaintext Attack (CPA) –You get to submit plaintexts of your choice to an encryption oracle (black box) and receive the ciphertexts in return –Models the ability to inject traffic into a channel Send a piece of disinformation to an enemy and watch for its encryption Send plaintext to a wireless WEP user and sniff the traffic as he receives it –This is the model we used for defining blockcipher security (computational indistinguishability)

34. Attack Models (cont) Chosen-Ciphertext Attack (CCA) –The strongest definition (gives you the most attacking power) –You get to submit plaintexts and ciphertexts to your oracles (black boxes) –Sometimes called a “lunchtime attack” –We haven’t used this one yet, but it’s a reasonable model for blockcipher security as well

35. So What about CBC, for example? CBC Mode encryption –It’s computationally indistinguishable under chosen plaintext attack You can’t distinguish between the encryption of your query M and the encryption of a random string of the same length –In the lingo, “CBC is IND-CPA” –It’s not IND-CCA You need to add authentication to get this

36. The Big (Partial) Picture Primitives Block Ciphers Hash Functions Hard Problems Stream Ciphers First-Level Protocols Symmetric Encryption Digital Signatures MAC Schemes Asymmetric Encryption Second-Level Protocols SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting (Can do proofs) (No one knows how to prove security; make assumptions)

37. Symmetric Authentication: The Intuitive Model Here’s the intuition underlying the authentication model: –Alice and Bob have some shared, random string K –They wish to communicate over some insecure channel –An active adversary is able to eavesdrop and arbitrarily insert packets into the channel Adversary Alice Key K Bob

38. Authentication: The Goal Alice and Bob’s Goal: –Alice wishes to send packets to Bob in such a way that Bob can be certain (with overwhelming probability) that Alice was the true originator Adversary’s Goal: –The adversary will listen to the traffic and then (after some time) attempt to impersonate Alice to Bob –If there is a significant probability that Bob will accept the forgery, the adversary has succeeded

39. The Solution: MACs The cryptographic solution to this problem is called a Message Authentication Code (MAC) –A MAC is an algorithm which accepts a message M, a key K, and possibly some state (like a nonce N), and outputs a short string called a “tag” MAC M K N tag = MAC K (M, N)

40. MACs (cont) Alice computes tag = MAC K (M, N) and sends Bob the message (M, N, tag) Bob receives (M’, N’, tag’) and checks if MAC K (M’, N’) == tag’ –If YES, he accepts M’ as authentic –If NO, he rejects M’ as an attempted forgery Note: We said nothing about privacy here! M might not be encrypted (M’, N’, tag’) MAC K (M’, N’) == tag’ ?? Y N ACCEPT REJECT Bob

41. Security for MACs The normal model is the ACMA model –Adaptive Chosen-Message Attack Adversary gets a black-box called an “oracle” –Oracle contains the MAC algorithm and the key K –Adversary submits messages of his choice and the oracle returns the MAC tag –After some “reasonable” number of queries, the adversary must “forge” To forge, the adversary must produce a new message M * along with a valid MAC tag for M * –If no adversary can efficiently forge, we say the MAC is secure in the ACMA model

42. Building a MAC with a Blockcipher Let’s use AES to build a MAC –A common method is the CBC MAC: CBC MAC is stateless (no nonce N is used) Proven security in the ACMA model provided messages are all of once fixed length Resistance to forgery quadratic in the aggregate length of adversarial queries plus any insecurity of AES Widely used: ANSI X9.19, FIPS 113, ISO 9797-1 AES K M1M1 tag M2M2 MmMm

43. CBC MAC notes Just like CBC mode encryption except: –No IV (or equivalently, IV is 0 n ) –We output only the last value Not parallelizable Insecure if message lengths vary

44. Breaking CBC MAC If we allow msg lengths to vary, the MAC breaks –To “forge” we need to do some (reasonable) number of queries, then submit a new message and a valid tag Ask M 1 = 0 n we get t = AES K (0 n ) back We’re done! –We announce that M * = 0 n || t has tag t as well –(Note that A || B denotes the concatenation of strings A and B)

45. Varying Message Lengths: XCBC There are several well-known ways to overcome this limitation of CBC MAC XCBC, is the most efficient one known, and is provably- secure (when the underlying block cipher is computationally indistinguishable from random) –Uses blockcipher key K1 and needs two additional n-bit keys K2 and K3 which are XORed in just before the last encipherment A proposed NIST standard (as “CMAC”) AES K1 M1M1 tag M2M2 MmMm K2 if n divides |M| K3 otherwise

46. UMAC: MACing Faster In many contexts, cryptography needs to be as fast as possible –High-end routers process > 1Gbps –High-end web servers process > 1000 requests/sec But AES (a very fast block cipher) is already more than 15 cycles-per-byte on a PPro –Block ciphers are relatively expensive; it’s possible to build faster MACs UMAC is roughly ten times as fast as current practice

47. UMAC follows the Wegman-Carter Paradigm Since AES is (relatively) slow, let’s avoid using it unless we have to –Wegman-Carter MACs provide a way to process M first with a non-cryptographic hash function to reduce its size, and then encrypt the result Message M hash function hash key encrypt encryption key hash(M) tag

48. The Ubiquitous HMAC The most widely-used MAC (IPSec, SSL, many VPNs) Doesn’t use a blockcipher or any universal hash family –Instead uses something called a “collision resistant hash function” H Sometimes called “cryptographic hash functions” Keyless object – more in a moment HMAC K (M) = H(K © opad || H(K © ipad || M)) opad is 0x36 repeated as needed ipad is 0x5C repeated as needed

49. Notes on HMAC Fast –Faster than CBC MAC or XCBC Because these crypto hash functions are fast Slow –Slower than UMAC and other universal-hash-family MACs Proven security –But these crypto hash functions have recently been attacked and may show further weaknesses soon

50. What are cryptographic hash functions? Output Message e.g., MD5,SHA-1 Hash Function A cryptographic hash function takes a message from {0,1} * and produces a fixed size output Output is called “hash” or “digest” or “fingerprint” There is no key The most well-known are MD5 and SHA-1 but there are other options MD5 outputs 128 bits SHA-1 outputs 160 bits % md5 Hello There ^D A82fadb196cba39eb884736dcca303a6 %

51. T  A << 5 + g t (B, C, D) + E + K t + W t SHA-1... M1M1 M2M2 MmMm for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3 ©  W t-8 ©  W t-14 © W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 1 to 80 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  A  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end return H 0 m H 1 m H 2 m H 3 m H 4 m 512 bits 160 bits

52. Real-world applications Message authentication codes (HMAC) Digital signatures (hash-and-sign) File comparison (compare-by-hash, eg, RSYNC) Micropayment schemes Commitment protocols Timestamping Key exchange... Hash functions are pervasive

53. A cryptographic property BAD: H(M) = M mod 701 (quite informal) 1. Collision resistance given a hash function it is hard to find two colliding inputs H M {0,1} n H M’M’ Strings

54. More cryptographic properties 1. Collision resistance given a hash function it is hard to find two colliding inputs 3. Preimage resistance given a hash function and given an hash output it is hard to invert that output 2. Second-preimage given a hash function and resistance given a first input, it is hard to find a second input that collides with the first 

55. Merkle-Damgard construction IV M1M1 M2M2 M3M3 h1h1 h2h2 h 3 = H (M) n k Fixed initial value Chaining value Compression function fff k MD Theorem: if f is CR, then so is H

56. MiMi T  A << 5 + g t (B, C, D) + E + K t + W t... M1M1 M2M2 MmMm for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 1 to 80 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  A  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end return H 0 m H 1 m H 2 m H 3 m H 4 m 512 bits 160 bits H 0..4 i- 1 160 bits

57. Hash Function Security Consider best-case scenario (random outputs) If a hash function output only 1 bit, how long would we expect to avoid collisions? –Expectation: 1 £ 0 + 2 £ ½ + 3 £ ½ = 2.5 What about 2 bits? –Expectation: 1 £ 0 + 2 £ ¼ + 3 £ ¾ ½ + 4 £ ¾ ½ ¾ + 5 £ ¾ ½ ¼ ¼ 3.22 This is too hard…

58. Birthday Paradox Need another method –Birthday paradox: if we have 23 people in a room, the probability is > 50% that two will share the same birthday Assumes uniformity of birthdays –Untrue, but this only increases chance of birthday match Ignores leap years (probably doesn’t matter much) –Try an experiment with the class…

59. Birthday Paradox (cont) Let’s do the math –Let n equal number of people in the class –Start with n = 1 and count upward Let NBM be the event that there are No-Birthday-Matches For n=1, Pr[NBM] = 1 For n=2, Pr[NBM] = 1 £ 364/365 ¼.997 For n=3, Pr[NBM] = 1 £ 364/365 £ 363/365 ¼.991 … For n=22, Pr[NBM] = 1 £ … £ 344/365 ¼.524 For n=23, Pr[NBM] = 1 £ … £ 343/365 ¼.493 –Since the probability of a match is 1 – Pr[NBM] we see that n=23 is the smallest number where the probability exceeds 50%

60. Occupancy Problems What does this have to do with hashing? –Suppose each hash output is uniform and random on {0,1} n –Then it’s as if we’re throwing a ball into one of 2 n bins at random and asking when a bin contains at least 2 balls This is a well-studied area in probability theory called “occupancy problems” –It’s well-known that the probability of a collision occurs around the square-root of the number of bins If we have 2 n bins, the square-root is 2 n/2

61. Birthday Bounds This means that even a perfect n-bit hash function will start to exhibit collisions when the number of inputs nears 2 n/2 –This is known as the “birthday bound” –It’s impossible to do better, but quite easy to do worse It is therefore hoped that it takes  (2 64 ) work to find collisions in MD5 and  (2 80 ) work to find collisions in SHA-1

62. The Birthday Bound 1.0 Probability 0.0 0.5 2n2n Number of Hash Inputs 2 n/2

63. Latest News At CRYPTO 2004 (August) –Collisions found in HAVAL, RIPEMD, MD4, MD5, and SHA-0 (2 40 operations) Wang, Feng, Lai, Yu Only Lai is well-known –HAVAL was known to be bad –Dobbertin found collisions in MD4 years ago –MD5 news is big! CU team has lowered time-to-collision to 3 mins (July 2005) –SHA-0 isn’t used anymore (but see next slide)

64. Collisions in SHA-0 T  A << 5 + g t (B, C, D) + E + K t + W t Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 1 to 80 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  H 0 i-1 ; H 1 i  A + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end H 0..4 i- 1 65 not in SHA-0 M1,M1, M1’M1’ Collision!

65. What Does this Mean? Who knows –Methods are not yet understood –Will undoubtedly be extended to more attacks –Maybe nothing much more will happen –But maybe everything will come tumbling down?! But we have OTHER ways to build hash functions

66. A Provably-Secure Blockcipher-Based Compression Function E MiMi h i-1 hihi n bits

67. The Big (Partial) Picture Primitives Block Ciphers Hash Functions Hard Problems Stream Ciphers First-Level Protocols Symmetric Encryption Digital Signatures MAC Schemes Asymmetric Encryption Second-Level Protocols SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting (Can do proofs) (No one knows how to prove security; make assumptions)