1 / 33

David Evans cs.virginia/evans

Lecture 7: Using Block Ciphers. David Evans http://www.cs.virginia.edu/evans. Images from http://rfidanalysis.org/. CS588: Security and Privacy University of Virginia Computer Science. Menu. PS2 Modes of Operation Differential Cryptanalysis. Sorry, PS1 is not ready to return yet!

fulton-odom
Download Presentation

David Evans cs.virginia/evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 7: Using Block Ciphers David Evans http://www.cs.virginia.edu/evans Images from http://rfidanalysis.org/ CS588: Security and Privacy University of Virginia Computer Science

  2. Menu • PS2 • Modes of Operation • Differential Cryptanalysis Sorry, PS1 is not ready to return yet! If you want it back before then, find me at my office tomorrow morning, or get it from Matt during his office hours (2:30-3:30 tomorrow) University of Virginia CS 588

  3. Ken Elzinga’s Theory on Writing Mysteries • Requires: • Creativity • Discipline • Very few people can be both • Most good mystery novels are written by pairs: • “Marshall Jevons” = Bill Breit and Ken Elzinga • “Ellery Queen” = Manfred Lee and Frederic Danna University of Virginia CS 588

  4. Dave Evans’ Ken Elzinga’s Theory on Writing Mysteries Cryptography • Requires: • Creativity • Discipline • Very few people can be both • Most good mystery novels are written by pairs: • Dolev-Yao, Needham-Schroeder, Diffie-Hellman, Daemen/Rijmen (AES), Blum-Blum-Shub, Rivest-Shamir-Adleman, Boneh/Franklin (IBE) designed/broken ciphers small teams University of Virginia CS 588

  5. Creativity vs. Discipline • Creativity: mostly about breaking rules • Discipline: mostly about following rules • Rules = internal consistency, mathematical correctness, sticking with stated assumptions • US was founded by rebels and has lots of space, so we value creativity most (except in teenagers and soldiers) University of Virginia CS 588

  6. RSA [1978] • Ron Rivest and Adi Shamir tried to find ways to implement public-key cryptography • Len Adleman poked holes in their first dozen ideas • Eventually, they found one he couldn’t • Adelman thought the cipher should be RS (but Rivest convinced him otherwise) We’ll cover RSA later after spring break, but you’ve probably heard of it already. It’s the most important cipher invented since One Time Pad (Vernam, 1917). University of Virginia CS 588

  7. Overstatement? “The most important technological breakthrough in the last thousand years.” Lawrence Lessig (Possibly an overstatement, but he’s a lawyer) University of Virginia CS 588

  8. PS2 Teams • Must be diverse in at least 2 of these: • Nationality • Major (CS/Math/ECE/Bioinformatics/other) • Year (Grad/4th/3rd/other) • Liked breaking two-time pad (yes/no) • Examples: • Austrailian bioinformatics major can work with anyone • USian, 4th year CS major who liked breaking two-time pad can’t work with a USian 3rd year CS major unless she/he didn’t like breaking the two-time pad • If you can get Ron Rivest, Adi Shamir or Len Adelman on your team, you don’t need to worry about the other rules Find a partner before leaving today! University of Virginia CS 588

  9. Confidentiality Modes of Operation University of Virginia CS 588

  10. Modes of Operation • Transmitting a long plaintext using 3DES: P = P1 || P2 || ... || PN • Electronic Codebook Mode: C = EK (P1) || EK (P2) || ... || EK (PN) • Problems: • Any identical blocks encrypted identically • 64 bits = 8 ASCII characters • Reveals lots about your message (even if unbroken) • Lots of ciphertext encrypted with same K University of Virginia CS 588

  11. Cipher Block Chaining P2 P1  IV  ... DES DES K K C2 C1 to receiver to receiver University of Virginia CS 588

  12. Cipher Block Chaining Ci = EK (Pi Ci - 1) C1 = EK (P1 IV) Decrypt: Mi = DK (Ci ) Ci - 1 M1 = DK (C1 ) IV DK (EK (Pi Ci - 1)) Ci – 1 = Pi Ci - 1 Ci – 1 = Pi University of Virginia CS 588

  13. shift j bits IV DES DES K K j bits j bits   C1 C2 to receiver to receiver P1 P2 Cipher Feedback Mode ... Does the IV need to be secret? University of Virginia CS 588

  14. shift j bits IV DES DES K K j bits C1   C2 to receiver to receiver P1 P2 Output Feedback Mode ... j bits University of Virginia CS 588

  15. CFB vs OFB shift j bits IV shift j bits IV DES DES DES DES K K K K j bits j bits j bits   C1   C2 C1 C2 to receiver to receiver to receiver to receiver P1 P2 P1 P2 Which is better for wireless transmissions? Which is better for preventing message tampering? University of Virginia CS 588

  16. What does is mean to “break” a cipher? • Practical: • You can determine the plaintext corresponding to some ciphertext without the key • You can determine the key given some plaintext-ciphertext pairs University of Virginia CS 588

  17. What does is mean to “break” a cipher? • Academic: • You have a technique that does better than brute force (e.g., break 112-bit 3DES with 2111 max attempts) • You have a techniques that does better than brute force on a weakened (less rounds, smaller block) version of cipher (e.g., break DES with 15 rounds) • You have identified some mathematical weakness if the cipher, but don’t yet know how to use it usefully (e.g., there exist two different keys that map plaintext to same ciphertext) University of Virginia CS 588

  18. DES Attacks • Last time: • Mostly Brute force (guessing all keys) • DES keyspace is too small • But no where near good enough for 3DES • Side-Channel: Power Analysis • Now: Differential Cryptanalysis University of Virginia CS 588

  19. Differential Cryptanalysis • [Biham & Shamir, 1990] • With enough work (247) and enough chosen plaintexts (247) can find key (compared to 256 brute force work) • Successful academic attack: takes 3 years of 1.5Mbps encrypting chosen plaintext to get enough! • Is successful practical attack on other ciphers University of Virginia CS 588

  20. Differential Cryptanalysis Idea • Choose plaintext pairs with fixed difference:  X = X  X’ • Use differences in resulting ciphertext to guess key probabilities • Requires choosen plaintext: attacker chooses plaintext and receives ciphertext (e.g., SpeedyPass challenge-response protocol!) University of Virginia CS 588

  21. One Round X X’ • X = X  X’ • Xi = 0 iff Xi = Xi’ 32 bits 32 bits E/P E/P X1’ 48 bits 48 bits X1   E/P preserves values: Xi = 0  X1ep(i) = X1ep(i)’ where ep(i) is a function defined by the E table Kn X2’ X2 S S X3’ X3 32 bits 32 bits • preserves values: X2i = X1i  Kn X2i’= X1i’ Kn •  Xi = 0  X2ep(i) = X2ep(i)’ P P X4 X4’ University of Virginia CS 588

  22. One Round, cont. X2’ X2 S S • Xi = 0  X2ep(i) = X2ep(i)’ X3i = X3i’  X4p(i) = X4p(i)’ X3’ X3 P P X4 X4’ (Known from ciphertext) • S-boxes are non-linear! • Xi = 0  X3s(ep(i)) = X3s(ep(i))’ • But, maybe they do probabilistically: • Xi = 0  p(X3s(ep(i)) = X3s(ep(i))’) > .5 ? p(X3s(ep(i)) = X3s(ep(i))’) < .5 ? Its a function of the key: p determined experimentally. University of Virginia CS 588

  23. This slides are based on Howard Heys’ Tutorial on Linear and Divverential Cryptanalysis (linked from course website) Differential Characteristics Inputs: A = [A1, A2, A3…A64] B = [B1, B2, B3…B64] Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K Differences: ΔP = A  B = [ A1  B1, …, A64  B64 ] ΔC = a  b = [ a1  b1, …, a64  b64 ] Differential = (ΔP, ΔC) University of Virginia CS 588

  24. Inputs: A = [A1, A2, A3…A64] B = [B1, B2, B3…B64] Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K Differences: ΔP = A  B = [ A1  B1, …, A64  B64 ] ΔC = a  b = [ a1  b1, …, a64  b64 ] Differential = (ΔP, ΔC) Goal • Find a particular value of ΔP for which a particular ΔC value occurs with high probability • Allows attacker to predict bits coming into last round of cipher If you know what one round of DES does, you can find the subkey for that round (fairly easily)! University of Virginia CS 588

  25. From Howard Heys’ Tutorial on Linear and Differential Cryptanalysis http://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf University of Virginia CS 588

  26. Remember: S-Boxes are confusing, but not secret. All DES implementataions use the same S-Boxes. S-box: S1 6 bits: x1x2x3x4x5x6 x2x3x4x5 select column x1x6 00 01 10 11 4 inputs to S1 produce 0: 011100, 000001, 111110, 111011 University of Virginia CS 588

  27. Partial pair XOR Distribution, S1 Input XOR (6 bits) University of Virginia CS 588

  28. What would ideal distribution be? Input XOR University of Virginia CS 588

  29. What would ideal distribution be? Getting determinstically different outputs when the inputs are identical is really, really hard! Why can’t we just make S-Boxes that do this? Input XOR University of Virginia CS 588

  30. Differential Cryptanalysis • Propagate experimental probabilities for 1 round through 16 rounds • After enough P-C pairs, one key becomes most probable • Difficulty depends heavily on S-Box choices • First published in 1990, but NSA knew about it in 1973! (That’s why they changed IBM’s S-Boxes!) University of Virginia CS 588

  31. Differential Cryptanalysis • “Successful” on DES up to 15 rounds (better than exhaustive search) • By 16th round, characteristics probabilities are 2-56 • Very successful on DES variants (breaks GDES with 6 chosen plaintexts) • Very successful on FEAL (FEAL-4, FEAL-8, FEAL-N, FEAL-NX, ...) • Would be very successful on Curry Cipher (but so would less sophisticated techniques) University of Virginia CS 588

  32. Related Techniques • Linear Cryptanalysis [Matsui, 1994] • Try to find equations like, Xi1 Xi2 … Xin  Yj1 Yj2 …  Yjv = 0 where Xik selects some input bit and Yjk selects some output bit such that probability it is satisfied is different from ½ • Boomerang Attack [Wagner 1999] • Slide Attacks [Biryukov & Wagner, 1999] University of Virginia CS 588

  33. Charge • Find a partner for PS2 now • If you already have gotten past question 1 with someone, you can keep working together • Otherwise, find a partner who satisfies the diversity constraints (different in 2 or more): • Nationality • Major (CS/Math/ECE/Bioinformatics/other) • Year (Grad/4th/3rd/other) • Liked breaking two-time pad (yes/no) University of Virginia CS 588

More Related