Download presentation
Presentation is loading. Please wait.
1
David Evans http://www.cs.virginia.edu/evans CS588: Security and Privacy University of Virginia Computer Science Lecture 6: Striving for Confusion Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system. Lexar Corporation, “An Evalution of the DES”, 1976.
2
8 February 2005University of Virginia CS 5882 Menu PS1 Question 4b –Will return PS1 Thursday DES Strengthening DES Breaking DES
3
8 February 2005University of Virginia CS 5883 Permutation Cipher How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation chosen randomly from all possible permutations?
4
8 February 2005University of Virginia CS 5884 Key Space 12345678 Random Permutation 8! Keys Perfect Cipher Keyspace Theorem: Cannot transmit more than 8! different message securely
5
8 February 2005University of Virginia CS 5885 8! Messages M = { ABCDEFGH, BACDEFGH, CABDEFGH, DABCEFGH, EABCDFGH, … } Why couldn’t you also include IJKLMNOP? What if there were only 2 alphabet symbols? (Note: can transmit as many blocks as you want) Midterm Question
6
8 February 2005University of Virginia CS 5886 Feistel Cipher Recap Plaintext Round L0L0 R0R0 F K1K1 L1L1 R1R1 Last time: - Decryption works, as long as the keys are used in reverse order - Can provide confusion and diffusion (because of permutation), but only if F is confusing Substitution Permutation
7
8 February 2005University of Virginia CS 5887 DES NIST (then NBS) sought standard for data security (1973) IBM’s Lucifer only reasonable proposal Modified by NSA –Changed S-Boxes –Reduced key from 128 to 56 bits Adopted as standard in 1976 More bits have been encrypted using DES than any other cipher
8
8 February 2005University of Virginia CS 5888 DES Algorithm Feistel cipher with added initial permutation Complex choice of F 16 rounds 56-bit key, shifts and permutations produce 48-bit subkeys for each round
9
8 February 2005University of Virginia CS 5889 DES’s F Expand and Permute (using E table) 32 bits 48 bits KnKn Substitute (using S boxes) 32 bits Permutation The goal is confusion!
10
8 February 2005University of Virginia CS 58810 S-Boxes S-Box 6 bits 4 bits Example: 110011 1001 Critical to security NSA changed choice of S-Boxes Only non-linear step in DES 64 entry lookup table E(11) E(01) + E(10)
11
8 February 2005University of Virginia CS 58811 DES Avalanche Input:...............................................................*1 Permuted:.......................................*........................ 1 Round 1:.......*........................................................ 1 Round 2:.*..*...*.....*........................*........................ 5 Round 3:.*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18 Round 4:..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28 Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29 Round 6:...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26 Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11:..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16:.*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output:..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**. Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html
12
8 February 2005University of Virginia CS 58812 Key Schedule Need 16 48-bit keys –Best security: just use 16 independent keys –768 key bits 56-bit key used (64 bits for parity checking) –Produce 48-bit round keys by shifting and permuting
13
8 February 2005University of Virginia CS 58813 DES Keys K i = PC (Shift (Left (K i-1 )) || Shift (Right (K i-1 ))) Key Shift (1 or 2 bits) 56 bits 28 bits Compress/Permute KnKn Next round Are there any weak keys?
14
8 February 2005University of Virginia CS 58814 Is DES a perfect cipher? No: more messages than keys Even for 1 64-bit block 2 64 messages > 2 56 keys
15
8 February 2005University of Virginia CS 58815 Attacking DES: Brute Force Key is 56 bits 2 56 = 7.2 * 10 16 = 72 quadrillion Try 1 per second = 9 Billion years to search entire space Distributed attacks –Steal/borrow idle cycles on networked PCs –Search half of key space with 100000 PCs * 1M keys/second in 25 days
16
8 February 2005University of Virginia CS 58816 Brute Force Attacks RSA DES challenges: –1997:96 days (using 70,000 machines) –Feb 1998: 41 days (distributed.net)
17
8 February 2005University of Virginia CS 58817 Multiple Encryption
18
8 February 2005University of Virginia CS 58818 Multiple Encryption C = E K2 (E K1 (P)) Does it double the key space? Monoalphabetic cipher C i = K 2 [K 1 [P i ]] = K 3 [P i ] for some K 3
19
8 February 2005University of Virginia CS 58819 Double-Vigenère C = E K2 (E K1 (P)) Vigenère: C i = (P i + K i mod N ) mod Z C i = ((P i + K1 i mod N1 mod Z) + K2 i mod N2 ) mod Z = (P i + K1 i mod N1 + K2 i mod N2 ) mod Z if N1 = N2 : = (P i + K3 i mod N ) mod Z(K3 = K1 + K2) what if N1 N2 ?
20
8 February 2005University of Virginia CS 58820 Double-Vigenère K1 = "BOND" K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND +JAMESJAMESJAMESJAMESJAMESJAM =KOZHTXNPFGWDNSFMBARVKOZHTXNP Effective key length: LCM (N1, N2) = 20
21
8 February 2005University of Virginia CS 58821 Double DES C = E K2 (E K1 (P)) Is there a K3 such that C = E K3 (P) ? –There are 2 56 keys, and 2 64 ! mappings –If DES is good, keys map randomly to mappings. –Probability that a randomly chosen mapping corresponds to a DES key: 2 56 / 2 64 ! << 1 / 2 63 ! Effective key size of Double DES? = 2 56 * 2 56 = 2 112 WRONG!
22
8 February 2005University of Virginia CS 58822 Known Plaintext Attack P E E K1K1 K2K2 C P E try all possible keys X K1 X K2 X K2 56 C D try all possible keys Y K1 Y K2 Y K2 56 One X Ki = Y Kj means K 1 = K i and K 2 = K j
23
8 February 2005University of Virginia CS 58823 Meet-in-the-Middle Attack C = E K2 (E K1 (P)) X = E K1 (P) = D K2 (C) Brute force attack (given one P/C pair): calculate E K1 (P) for all keys (2 56 work) calculate D K2 (C) for all keys (2 56 work) the match gives the keys Total work = 2 * 2 56 = 2 57
24
8 February 2005University of Virginia CS 58824 Hmmm…maybe thrice?
25
8 February 2005University of Virginia CS 58825 2-Key Triple DES C = E K1 (D K2 (E K1 (P))) Why D K2 not E K2 ? –Backwards compatibility with DES –If K1 = K2: C = E K1 (D K1 (E K1 (P))) = E K1 (P) Actual key size = 56 + 56 bits = 112 bits Meet-in-the-middle? –X = E K1 (P) = D K1 (E K2 (C)) 2 56 need to try 2 112
26
8 February 2005University of Virginia CS 58826 How secure is Triple-DES Brute force search: 2 112 keys –Best DES attack: 245 B keys/second – 6.7 * 10 14 years (compared to 22 hours) –10 11 years = total lifetime of universe (closed universe theory) Best known attack - reduces to 2 120-log 2 n –n = number of known P-C pairs –n = 2 64, work is 2 56 Realistic?
27
8 February 2005University of Virginia CS 58827 3-Key Triple DES C = E K3 (D K2 (E K1 (P))) H(K) = 168 Used by PGP, S/MIME How much work to brute-force? –Meet-in-the-middle: X = D K3 (C) = D K2 (E K1 (P)) 2 56 + 2 112
28
8 February 2005University of Virginia CS 58828 Cracking DES (1998) 90B keys per second Cost < $250K (in 1998) 56 hours to solve RSA DES Challenge
29
8 February 2005University of Virginia CS 58829 Cracking DES (2001) Mike Bond, Richard Clayton (University of Cambridge PhD Students) IBM 4578 “Cryptoprocessor” (used in banking security – generates PINs from account numbers) $995 for custom FPGA 20 hours to extract key Meet-in-the-middle attack (we’ll discuss this next class)
30
8 February 2005University of Virginia CS 58830 Cracking DES (2005) Girish Ratanpal
31
POWER ANALYSIS ATTACKS Girish Ratanpal Electrical & Computer Engineering UVA
32
8 February 2005University of Virginia CS 58832 The Problem Mathematically secure Cryptographic algorithms. Implementations leak out information. Side-channels –Execution time –Power consumption –Radio frequencies –Electric/magnetic fields
33
8 February 2005University of Virginia CS 58833 The Power consumption side- channel Correlation between operation and power consumed. –E.g. MOV 0 v/s MOV FF Correlation between power consumed and bit transitions at the output of gates. –E.g. 0 1 v/s 1 0
34
8 February 2005University of Virginia CS 58834 DPA attack on DES Guess the 6- bit sub-key of K16 Determine C i, L15[0] Determine selection function D(C i, b, K16)
![8 February 2005University of Virginia CS DPA attack on DES Guess the 6- bit sub-key of K16 Determine C i, L15[0] Determine selection function D(C i, b, K16)](http://images.slideplayer.com./25/7929236/slides/slide_34.jpg "8 February 2005University of Virginia CS DPA attack on DES Guess the 6- bit sub-key of K16 Determine C i, L15[0] Determine selection function D(C i, b, K16)")
35
8 February 2005University of Virginia CS 58835 DES attack contd. Collect power traces with k time samples for m cipher-texts. Divide the traces into two sets T0 and T1 using the selection function. Compute the average. -this is the DPA trace
36
8 February 2005University of Virginia CS 58836 S[k] with Correct Guess
![8 February 2005University of Virginia CS S[k] with Correct Guess](http://images.slideplayer.com./25/7929236/slides/slide_36.jpg "8 February 2005University of Virginia CS S[k] with Correct Guess")
37
8 February 2005University of Virginia CS 58837 S[k] with Incorrect Guess
![8 February 2005University of Virginia CS S[k] with Incorrect Guess](http://images.slideplayer.com./25/7929236/slides/slide_37.jpg "8 February 2005University of Virginia CS S[k] with Incorrect Guess")
38
8 February 2005University of Virginia CS 58838 Subkey for SBOX-5
39
8 February 2005University of Virginia CS 58839 Existing Countermeasures 1.Noise Insertion: Directly reduces SNR of S[k]. 2.Temporal De-synchronization Randomly varying clock Dummy instructions Randomized instruction stream 3.Algorithmic Countermeasure Intermediate results masking 4.Supply Current Shielding Off-chip capacitors
![8 February 2005University of Virginia CS Existing Countermeasures 1.Noise Insertion: Directly reduces SNR of S[k].](http://images.slideplayer.com./25/7929236/slides/slide_39.jpg "2.Temporal De-synchronization Randomly varying clock Dummy instructions Randomized instruction stream 3.Algorithmic Countermeasure Intermediate results masking 4.Supply Current Shielding Off-chip capacitors.")
40
8 February 2005University of Virginia CS 58840 Existing Countermeasures Algorithmic & Temporal De- synchronization – affect implementation Need for a solution that –Puts minimal constraints on hardware implementation –Can be integrated on-chip
41
8 February 2005University of Virginia CS 58841 Suppression circuit Voltage sensed by R sense Current feedback to keep voltage constant. C filter for high frequency components.
42
8 February 2005University of Virginia CS 58842 Result of Suppression
43
8 February 2005University of Virginia CS 58843 DPA on Protected Device
44
8 February 2005University of Virginia CS 58844 Charge Deadline for project proposals delayed until Feb 17 –Start using the forum to find project teams PS2 out today, due next Tuesday –Read the attached paper before Thursday’s class –We’ll talk about it Thursday
Similar presentations
