1 / 49

Symmetric cryptography

Symmetric cryptography. (Slides by Jaap-Henk Hoepman & Jeroen Doumen). Contents. Basics History Ciphers Attacks Hashing. Cryptology goals. Confidentiality Data integrity Authentication Non-repudiation. Cryptology. Cryptography The art of making Cryptanalysis The art of breaking.

luana
Download Presentation

Symmetric cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symmetric cryptography (Slides by Jaap-Henk Hoepman & Jeroen Doumen)

  2. Contents • Basics • History • Ciphers • Attacks • Hashing

  3. Cryptology goals • Confidentiality • Data integrity • Authentication • Non-repudiation

  4. Cryptology • Cryptography • The art of making • Cryptanalysis • The art of breaking

  5. Example 1 • What’s the message? Greetings to all at Oxford. Many thanks for your letter and for the summer examination package all Entry forms and Fess Forms should be ready for final dispatch to the Syndicate by Friday 20th or at the very latest, I’m told, by the 21st. Admin has improved here, though there’s room for improvement still; just give us all two or three more years and we’ll really show you! Please don’t let these wretched 16+ proposals destroy your basic A and O pattern. Certainly this sort of change, If implemented immediately would bring chaos.

  6. public? Secret! Secret! secret? Cryptography plaintext e.g. “attack at dawn” encrypt decrypt ciphertext e.g. “sdwr$350/.]{]gtdfc” “attack at dawn”

  7. “gfd6#Q” “attack” Algorithms + keys • Cipher (aka cryptosystem) • “Public” algorithm + • Secret keys “attack” “sdwr$350” encrypt decrypt

  8. Encrypt/Decrypt • Block oriented • E.g. 256 bits in or out • One-to-one • 1 plaintext maps to 1 ciphertext, and vice-versa • What’s the disadvantage of one-to-many?

  9. Block representation “attack at dawn” ascii 97 116 116 97 99 107 32 97 116 32 …. binary 01100011 01101011 00100000 01100001 32 bits block

  10. History • Monoalphabetic substitution • Caesar • Polyalphabetic substitution • Vigenere • Transposition cipher

  11. Caesar cipher • Replace plaintext letter by letter 3 places further down the alphabet A=1, B=2, C=3, … Encrypt: C = P+3 Decrypt: P = C-3

  12. Caesar: example • Problem: • Letter frequency undisturbed • High frequency ciphertext letters map to high frequency plaintext letters • Solution • Increase the blocksize • To at least 4-5 letters “attackatdawn” “dwwdfndwgdzq”

  13. Vigenere cipher • Code letters as numbers (A=0, B=1, etc.) • Key is keyword • Encrypt • Add keyword to plaintext (letter by letter) • Decrypt • Subtract keyword from ciphertext • Example wearediscoveredsaveyourself deceptivedeceptivedeceptive ZICVTWQNGRZGVTWAVZHCQYGLMGJ +

  14. Plaintext • Text • Distribution of characters known • Distribution of bi-graphs also known: • Data • Format known E: 12% T: 9 % A,I,N,O,R: 8% TH: 3.2% HE: 3.1 % ER: 2.1% <account>87539</account> <amount>1234</amount>

  15. Transposition cipher • Change order of letters in the message “meet me after the toga party” M e m a t r h t g p r y e t e f e t e o a a t “mematrhtgpryetefeteoaat”

  16. Modern ciphers: principles • Confusion • Substitution • Diffusion • Transposition

  17. Encryption • Goal • Data confidentiality • NOT INTEGRITY • Requirements • Ciphertext should not give information about plaintext (or key…) • Ciphertext should look random • Except when key is known • This should hold even if large number of ciphertext / plaintext pairs are known

  18. Stream cipher Stream generator Key stream (bits, or bytes) xor Plaintext stream Ciphertext stream

  19. XOR • XOR truth table: • Property: (c + k) + k = c • We can use same keystream generator to encrypt and to decrypt!

  20. Stream ciphers • Faster and less complex in hardware • (Almost) no buffering • No error propagation • Most streamciphers are confidential • GSM A5/1 -- broken! • Military

  21. Block cipher n bit plaintext block encrypt decrypt n bit ciphertext block

  22. Encrypting larger messages • Operation modes • Electronic codebook (ECB) • Cipher Block Chaining (CBC) • Cipher Feedback (CFB) • Output Feedback (OFB)

  23. ECB mode block block • Same plaintext block maps to same ciphertext block • Reordering, replacing possible • No error propagation • Bit changes only; bit deletions/omissions are a problem encrypt encrypt block block

  24. CBC mode IV block block encrypt encrypt block block • Same plaintext block maps to different ciphertext block • Reordering, replacing not possible • Depending on previous block • Limited error propagation • Affects only current and next block

  25. CFB mode IV • Works like a stream cipher • Self-synchronizing encrypt Ciphertext stream Plaintext stream

  26. OFB mode IV • Works like a stream cipher encrypt Plaintext stream Ciphertext stream

  27. Example: Mickey Mouse • Original picture

  28. Example: Mickey Mouse • Encrypted in ECB mode

  29. Example: Mickey Mouse • Encrypted in CBC mode

  30. Block Cipher design • Iterate a round function • Two different types: • Feistel cipher (e.g. DES) • Substitution-permutation network (e.g. AES) • Round function build from linear functions and S-boxes (nonlinear).

  31. S-Box • Non linear function • Implemented by table • Large table => strong cipher • But large table hard to implement

  32. One Feistel round Li Ri Usually determined by keyschedule P S S S “round key” is derived from key S Li+1 Ri+1

  33. One S/P round Can be determined by keyschedule S S S S S S S S “round key” is derived from key P

  34. AES • Advanced Encryption Standard, published by NIST as FIPS PUB 197 in 2001. • Selected from 15 candidates by NIST in an open selection process. • Successor of DES.

  35. AES properties • Block size 128 (or 194 or 256) bit • Key size 128, 194 or 256 bit • 10, 12 or 14 rounds depending on key length. • Substitution/permutation network, composed of: • Byte substitution • Shift rows • Mix columns • Round key addition

  36. Byte substitution • Plaintext is usually 128 bits, or 16 bytes S

  37. Shift rows and mix columns • Diffusion is reached in two steps • Shift rows

  38. Shift rows and mix columns • Diffusion is reached in two steps • Mix columns Multiply by fixed matrix

  39. Round key addition • Finally, the round key is XOR-ed = Round key

  40. AES

  41. Attacks • Ciphertext only • Known plaintext • Chosen plaintext • Adaptive chosen plaintext • Chosen ciphertext • Adaptive chosen ciphertext passive active

  42. Your birthday please

  43. Small example

  44. Attacks • Brute force keysearch • passwords • Timing attack • Differential cryptanalysis • Birthday attack • Probability that 2 people of a group of 23 share the same birthday! • 23 ~ square root of 356 (roughly)

  45. Hashing • (Public) Hash function h • Computes fixed length hash for arbitrary plaintext • Goal • Data integrity • Requirements • Pre-image resistant (“hard to invert”) • Hard to find x such that h(x)=z for given hash z • Collision resistant • Hard to find x,y such that h(x)=h(y) • Sometimes keyed

  46. Error detected because h(m’)<>h(m) Accepted! MDC does not prevent forgery m ; h(m) m’ ; h(m’) Using hash functions • Detect modifications (MDC) • Unkeyed hash • Prevent forgery (MAC) • Keyed hash Actually, not secure like this… m ; h(k,m)

  47. SHA • Developed by NIST and published as FIPS 180 in 1993 (SHA-1: FIPS 180-1 of 1995); • Input: arbitrary message < 2^64 bits • Split into 512 bit blocks • Output: 160 bit message digest • New: SHA-{128,256,512}

  48. 160 160 160 160 160 160 SHA-1 Message padded to multiple of 512 bits message padding: 10..00 length 512 bits 512 bits 512 bits Y HSHA HSHA HSHA IV CVi CVi+1 output

  49. Remarks • SHA-1 stronger than MD5 • Also RIPEMD-160 • Especially against brute force • SHA-1 slower than MD5 • More rounds • Both perform well on 32 bit architectures • Don’t use MD5

More Related