1 / 37

Lecture 2.3: Private Key Cryptography III

Lecture 2.3: Private Key Cryptography III. CS 436/636/736 Spring 2012 Nitesh Saxena. Course Administration. TA/Grader: Eric Frees : Email: efrees@uab.edu Office hrs: 2-4pm on Wednesdays, Ugrad lab (CH 154) HW1 heads up To be posted by this weekend Covers lecture 1, 2.1 – 2.3

armina
Download Presentation

Lecture 2.3: Private Key Cryptography III

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 2.3: Private Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena

  2. Course Administration • TA/Grader: Eric Frees: • Email: efrees@uab.edu • Office hrs: 2-4pm on Wednesdays, Ugrad lab (CH 154) • HW1 heads up • To be posted by this weekend • Covers lecture 1, 2.1 – 2.3 • At least 12 days for you to work on it Lecture 2.3 - Private Key Cryptography III

  3. Outline of today’s lecture • Block Ciphers: Modes of Encryption • AES (at home reading assignment) Lecture 2.3 - Private Key Cryptography III

  4. Block Cipher Encryption modes • Electronic Code Book (ECB) • Cipher Block Chain (CBC) • Most popular one • Cipher Feed Back (CFB) • Output Feed Back (OFB) Lecture 2.3 - Private Key Cryptography III

  5. Analysis We will analyze each of the modes in terms of: • Security • Computational Efficiency (parallelizing encryption/decryption) • Transmission Errors • Integrity Protection Lecture 2.3 - Private Key Cryptography III

  6. Electronic Code Book (ECB) Mode • Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode. • Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext Lecture 2.3 - Private Key Cryptography III

  7. Example – why ECB is bad? Tux encrypted with AES in ECB mode Tux Lecture 2.3 - Private Key Cryptography III

  8. Cipher Block Chain (CBC) Mode encryption decryption Lecture 2.3 - Private Key Cryptography III

  9. CBC Traits • Randomized encryption • IV – Initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation • IV is a random value • IV is no secret; it is sent along with the ciphertext blocks (it is part of the ciphertext) Lecture 2.3 - Private Key Cryptography III

  10. Example – why CBC is good? Tux encrypted with AES in CBC mode Tux Lecture 2.3 - Private Key Cryptography III

  11. CBC – More Properties • What happens if k-th cipher block CK gets corrupted in transmission. • With ECB – Only decrypted PK is affected. • With CBC? • Only blocks PK and PK+1 are affected!! • What if one plaintext block PK is changed? • With ECB only CK affected. • With CBC all subsequent ciphertext blocks will be affected. • “Avalanche effect” • This leads to an effective integrity protection mechanism (or message authentication code (MAC)) Lecture 2.3 - Private Key Cryptography III

  12. Cipher Feedback Mode (CFB)

  13. CFB Properties • Randomized encryption – good for security (Tux won’t be visible after encryption!) • Change in one plaintext bit is going to affect all subsequent ciphertext bits. So can be used for MAC. • Change in ciphertext bit results in? Lecture 2.3 - Private Key Cryptography III

  14. Output Feedback Mode (OFB)

  15. OFB Properties • Randomized encryption – good for security (Tux won’t be visible after encryption!) • Bit errors in transmission do not propagate (except for the IV) • Not good for authentication – no avalanche effect Lecture 2.3 - Private Key Cryptography III

  16. Security of Block Cipher Modes • ECB is not even secure against eavesdroppers (ciphertext only and known plaintext attacks) • CBC, CFB and OFB are secure against CPA attacks (assuming 3-DES or AES is used in each block computation); automatically secure against eavesdropping attacks • However, none is secure against CCA. Why? • Intuitively, this is because the ciphertext can be “massaged” in a meaningful way -- see whiteboard (please take notes)

  17. Summary of CCA Attacks • Assume adversary has eavesdropped upon a ciphertext – (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV. • Adversary is not allowed to query for (C0, C1, C2) itself • With CBC, adversary queries for (C0’, C1, C2) and obtains (M1’, M2) • With CFB, he queries for (C0, C1, C2’) and obtains (M1, M2’) • With OFB, he queries for (C0, C1’,C2)/(C0,C1, C2’)/(C0, C1’,C2’) and obtains (M1’,M2)/(M1,M2’)/(M1’,M2’), respectively

  18. How to achieve CCA security? • Prevent any massaging of the ciphertext • Intuitively, this can be achieved by using integrity protection mechanisms (such as MACs), which we will study later • The ciphertext is generated using CBC/CFB/OFB and a MAC is generated on this ciphertext • Both ciphertext and the MAC is sent off • The other party decrypts only if MAC is valid Lecture 2.3 - Private Key Cryptography III

  19. Advanced Encryption Standard (AES) • National Institute of Science and Technology • DES is an aging standard that no longer addresses today’s needs for strong encryption • Triple-DES: Endorsed by NIST as today’s defacto standard • AES: The Advanced Encryption Standard • Finalized in 2001 • Goal – To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents • AES candidate algorithms were required to be: • Symmetric-key, supporting 128, 192, and 256 bit keys • Royalty-Free • Unclassified (i.e. public domain) • Available for worldwide export Lecture 2.3 - Private Key Cryptography III

  20. AES • AES Round-3 Finalist Algorithms: • MARS • Candidate offering from IBM • RC6 • Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm • Twofish • From Counterpane Internet Security, Inc. • Serpent • Designed by Ross Anderson, Eli Biham and Lars Knudsen • Rijndael: the winner! • Designed by Joan Daemen and Vincent Rijmen Lecture 2.3 - Private Key Cryptography III

  21. Other Symmetric Ciphers and their applications • IDEA (used in PGP) • Blowfish (password hashing in OpenBSD) • RC4 (used in WEP), RC5 • SAFER (used in Bluetooth) Lecture 2.3 - Private Key Cryptography III

  22. Some Questions • C=DES(K,P); where (P, C are 64-bit long blocks). What would be DES(K,”PPPP”) in ECB mode? What it would be in CBC mode? • ECB is secure for sending just one block of data: true or false? • Is it okay to re-use IV in CBC? Why/why not? • Alice needs to send a *long* top-secret message to Bob. Which of the ciphers that we studied today can she use? Lecture 2.3 - Private Key Cryptography III

  23. AES: Rinjdael At home reading assignment! Lecture 2.3 - Private Key Cryptography III

  24. Rijndael • Joan Daemen (of Proton World International) and Vincent Rijmen (of Katholieke Universiteit Leuven). • (pronounced “Rhine-doll”) • Allows only 128, 192, and 256-bit key sizes (unlike the other candidates) • Variable block length of 128, 192, or 256 bits. All nine combinations of key/block length possible. • A block is the smallest data size the algorithm will encrypt • Vast speed improvement over DES in both hardware and software implementations • 8416 bytes/sec on a 20MHz 8051 (@ 12 CPI) • 8.8 Mbytes/sec on a 200MHz Pentium Pro Lecture 2.3 - Private Key Cryptography III

  25. Rijndael Structure • Rijndael consists of • an initial Round Key addition; • Nr-1 Rounds; • a final round. • In pseudo C code, this gives: Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); } Lecture 2.3 - Private Key Cryptography III

  26. Rijndael Key Expansion Key W KE Round Keys K1 K2 K3 Kn-2 Kn-1 Kn X R1 R2 R3 Rn-2 Rn-1 Rn Y Encryption Rounds r1 … rn • Key is expanded to a set of n round keys • Input block X undergoes n rounds of operations (each operation is based on value of the nth round key), until it reaches a final round. • Strength relies on the fact that it’s difficult to obtain the intermediate result (or state) of round n from round n+1 without the round key. Lecture 2.3 - Private Key Cryptography III

  27. Number of Rounds • Number of rounds (Nr) as a function of the block (Nb) and key length (Nk) in 32 bit words. Lecture 2.3 - Private Key Cryptography III

  28. Rijndael Ki Detailed view of round i ByteSub ShiftRow MixColumn AddRoundKey Result from round i-1 Pass to round i+1 • Each round performs the following operations: • Non-linear Layer: No linear relationship between the input and output of a round • Linear Mixing Layer: Guarantees high diffusion over multiple rounds • Very small correlation between bytes of the round input and the bytes of the output • Key Addition Layer: Bytes of theinput are simply XOR’ed with the expanded round key Lecture 2.3 - Private Key Cryptography III 8/16/2014

  29. Rijndael • Three layers provide strength against known types of cryptographic attacks: Rijndael provides “full diffusion” after only two rounds • Linear and differential cryptanalysis • Known-key and related-key attacks • Square attack • Interpolation attacks • Weak-keys • Rijndael has been shown to be K-secure: • No key-recovery attacks faster than exhaustive search exist • No known symmetry properties in the round mapping • No weak keys • No related-key attacks: No two keys have a high number of expanded round keys in common Lecture 2.3 - Private Key Cryptography III

  30. Rijndael: ByteSub • Each byte at the input of a round undergoes a non-linear byte substitution according to the following: • 1.First, taking the multiplicative inverse in GF(28). ‘00’ is mapped onto itself. • 2. Then, applying an affine (over GF(2)) transformation. Affine Transform Substitution (“S”)-box Lecture 2.3 - Private Key Cryptography III

  31. Rijndael: ShiftRow Depending on the block length, each “row” of the block is cyclically shifted according to the above table Lecture 2.3 - Private Key Cryptography III

  32. Rijndael: MixColumn Each column is multiplied by a fixed polynomial C(x) = ’03’*X3 + ’01’*X2 + ’01’*X + ’02’ This corresponds to matrix multiplication b(x) = c(x) a(x): Lecture 2.3 - Private Key Cryptography III

  33. Rijndael: Key Expansion and Addition Each word is simply XOR’ed with the expanded round key Key Expansion algorithm: KeyExpansion(int* Key[4*Nk], int* EKey[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) EKey[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) { temp = EKey[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; EKey[i] = EKey[i - Nk] ^ temp; } } Lecture 2.3 - Private Key Cryptography III

  34. Rijndael: Implementations • Rijndael is well suited for software implementations on 8-bit processors (important for “Smart Cards”) • Operations focus on bytes and nibbles, not 32 or 64 bit integers • Layers such as ByteSub can be efficiently implemented using small tables in ROM (e.g. < 256 bytes). • No special instructions are required to speed up operation • For 32-bit implementations: • An entire round can be implemented via a fast table lookup routine on machines with 32-bit or higher word lengths • Considerable parallelism exists in the algorithm • Each layer operates in a parallel manner on bytes of the round state, all four component transforms act on individual parts of the block • Although the Key expansion is complicated and cannot be parallelised, it only needs to be performed once until the two parties switch keys. Lecture 2.3 - Private Key Cryptography III

  35. Rijndael: Implementations • Hardware Implementations • Performs very well in software, but in some cases more performance is required (e.g. server and VPN applications). • Multiple S-Box engines, round-key EXORs, and byte shifts can all be implemented efficiently in hardware when absolute speed is required • Small amount of hardware can vastly speed up 8-bit implementations • Inverse Cipher • Except for the non-linear ByteSub step, each part of Rijndael has a straightforward inverse and the operations simply need to be undone in the reverse order. • Same code that encrypts a block can also decrypt the same block simply by changing certain tables and polynomials for each layer. The rest of the operation remains identical. Lecture 2.3 - Private Key Cryptography III

  36. Rijndael Future • Rijndael is an extremely fast, state-of-the-art, highly secure algorithm • Has efficient implementations in both hardware and software; it requires no special instructions to obtain good performance on any computing platform • Despite being the chosen by NIST as the AES candidate winner, Rijndael is not yet automatically the new encryption standard • Triple-DES, still highly secure and supported by NIST, is expected to be common for the foreseeable future. Lecture 2.3 - Private Key Cryptography III

  37. Further Reading • Chapter 6 of Stallings – Modes of Operations; Chapter 5 for AES • Chapter 7 of HAC – Modes of Operation Lecture 2.3 - Private Key Cryptography III

More Related