- 205 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Conventional Cryptography' - mandell

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Conventional Cryptography

### Symmetric Cryptography

### Cipher BlockModes of Operation

### Message Authentication Using Conventional Cryptography

Dr. Ron Rymon

Efi Arazi School of Computer Science

IDC, Herzliya. 2010/11

Pre-Requisites: Simple Math Background

Overview

- Symmetric Cryptography
- Cipher Block Modes
- Key Management
- Message Authentication Using Conventional Cryptography

Main sources: Network Security Essentials / Stallings

Applied Cryptography / Schneier

Symmetric Cryptography Protocol

- A typical protocol
- Alice and Bob agree on cryptosystem (algorithm)
- Alice and Bob agree on a key
- Alice encrypts her message with the key
- Alice sends the message to Bob
- Bob decrypts the messages using same key
- A common variation is where a new key is issued for each “session” (set of messages) and is exchanged encrypted using the “master” key

Feistel Networks

- Most block encryption algorithms use this general structure, due to Horst Feistel (1973)
- Inputs: Plaintext (halved) , Key, Round function F
- Uses n rounds, in each (e.g., n=16)
- Inputs: Li and Ri ; Ki is derived from K (sub-key)
- Li+1=Ri
- Ri+1=LiF(Ri,Ki)
- F (“round function”) selects certain bits, duplicates some, and permutes them. Ki is derived from K
- Final ciphertext is combination of Ln and Rn
- At IBM, Feistel built Lucifer, the first such system

Notes on Feistel Cipher Structure

- Decryption: The same process is reversible
- Ri-1=Li
- Li-1=RiF(Ri-1,Ki-1)
- Same algorithm can be used but with keys reversed
- Security Considerations
- Larger block size results in fewer blocks and increased security
- Larger key size also increases security (recall Shannon)
- More rounds considered to offer better security (?)
- Greater complexity of subkey generation may help security
- Greater complexity of round function may increase security

Design Goals for Block Ciphers

- Highly secure – more of everything…
- Fast – fewer rounds that use simpler operations
- Low communication overheads
- Low battery consumption in hand-helds
- Easy to implement in hardware
- Simple, ubiquitous operations
- Efficient in memory usage
- Can run on a smart card
- Require less secret material (keys, boxes)
- Sometimes put on expensive tamper-proof memory

Design Principles for Feistel Round Function

- Feistel is a family of algorithms
- Depends on choice of F, and subkey generation algorithm’
- Can be designed to fit needs
- Non-Linearity. F is as difficult as possible to approximate with a set of linear equations
- Avalanche
- Strict Avalanche Criterion (SAC) – with the change of any one input bit, every output bit shall change with probability of exactly ½
- Bit Independence Criterion (BIC) – output bits i,j shall change independently from each other when an input bit is inverted
- Guaranteed Avalanche – at least n output bits will change whenever any single input bit is inverted

Data Encryption Standard (DES)

- Without a standard, software and hardware cannot interoperate, or at least it is very expensive
- In 1973, National Institute for Standards and Technology (NIST) issued RFP for Data Encryption Algorithm (DEA)
- provide high level of security
- completely specified and easy to understand
- the security must reside in the key
- available to all users
- adaptable to diverse applications
- economically implementable in hardware
- efficient to use
- validated
- exportable

Data Encryption Standard (DES)

- NIST (NBS) issued a Request For Proposal (RFP)
- Only serious proposal came from IBM
- Patented and based on Lucifer (Feistel et al)
- NIST issued a Request For Comments (RFC)
- For first time, a crypto algorithm is reviewed by experts (NSA)
- Quite a few were concerned about NSA backdoor
- NSA reduced the key size from 112 to 56 bits
- Diffie and Helman presented a $20MM 1-day DES cracking machine
- NSA had also changed the original “S-boxes” design
- There were some claims of linearity in the new design
- DES was adopted in 1977, and renewed in 1983
- In 1987, under NSA pressure, DES almost not re-certified
- Concerned about the details of the algorithm being open and available to software implementations
- Certified only hardware implementations until 1994

Data Encryption Standard (DES)

- A Feistel block cipher structure
- 64-bit blocks
- 56-bit keys
- 16 rounds
- Adds initial and final permutation of the text (irrelevant to security)
- Key shifted circularly for next round, and 48 bits are selected for Ki

One Round of DES

- Key Transformation
- Each key-half is shifted 1 or 2 bits in each round (per given table)
- The 56 key bits are permuted and 48 bits are chosen (per table)
- Text transformations
- Expansion of Ri from 32 to 48 bits (size of key)
- Avalanche effect – some bits are duplicated
- 48 bits are XORed with Ki
- Substitution, using 8 S-Boxes with 6-bit input and 4-bit output
- S-boxes are well chosen to introduce non-linearity
- 32 bits are permuted according to specified P-Box
- 32 bits are XORed with Li to create Ri+1

Data Encryption Standard (DES)

- Confusion
- Obtained through permutations, substitutions, and number of rounds
- Diffusion
- Good avalanche effect – 1 bit difference in plaintext quickly results in a large difference in bits, even after few rounds
- Performance
- Software implementations were slow
- On IBM Mainframe 32,000 blocks / second
- Hardware implementations were very fast
- VLSI Technology 6868 (“Gatekeeper”) DESes in 8 clock cycles
- DEC built GaAs gate array that DESes 16.8 million blocks / second

DES Avalanche Effect

- (a) Difference between two plaintexts with 1-bit original difference
- (b) Difference between two keys with 1-bit original difference

Data Encryption Standard (DES)

- Weak keys
- Some keys will result in identical subkeys, e.g., if all 0’s, or all 1’s
- Claims that the S-boxes were weakened by the NSA
- Notable DES Attacks
- In 1990, Eli Biham and Adi Shamir presented differential cryptanalysis
- A chosen-plaintext attack that uses two plaintexts with specific difference. Then, based on the difference in the ciphertext (and also internal rounds), one can update the a priori probability of keys
- Similar to the “T-attack” that was originally developed at IBM and was classified by NSA
- In 1993, Mitsuru Matsui showed linear cryptanalysis attack
- Certain XORs of plaintext and ciphertext bits will result in a certain XOR of key bits with some probability p1/2

EFF’s DES Cracker

- In 1996, a public debate about security of DES.
- US Agencies (FBI, NSA) claiming that they cannot practically break DES (takes weeks on many computers)
- Offer companies software export license in return for establishing a “key recovery” system
- Electronic Frontier Foundation DES Cracker project
- DES is slow in software but fast in hardware
- Used easily available Field Programmable Gate Arrays
- Total budget is $200,000
- Used hardware to winnow false positives (plaintext recognizer) then software to test the remaining
- A 1996 paper by top cryptographers suggests a minimum key size of 75 bits, and 90 bits needed to hold for 20 years

RC5

- Also a block cipher, invented by Ron Rivest (1994)
- Similar in structure to Feistel
- Operations: XORs, Additions (mod bitsize), and Rotations
- Word-oriented, Low-cycle operations – Fast in software
- Variable length blocks, keys, and number of rounds (r)
- Each block is made of 2 w-bits blocks (A, B) (w=16,/32/64)
- Each key is made of bx8 bits (0<b<255; can be larger than a block)
- Round keys (S2i , S2i+1), each with w bits, are derived from the key
- Encryption and decryption consist of r rounds
- With 16+ rounds, RC5 resists differential attack
- 12 round RC5 shown susceptible with 244 chosen plaintexts
- Data-dependent shifts is one of the innovations of RC5

RC5 Encryption and Decryption

A

B

- S2i ,S2i+1 are round sub-keys
- Start: A=A+S0 ; B=B+S1
- In each encryption round (i=1..r)
- A=((A B)<<<B) + S2i
- B=((A B)<<<A) + S2i+1
- In each decryption round (i=r…1)
- B=((B-S2i+1)>>>A) A
- A=((A-S2i)>>>B) B
- Finish: A=A-S0 ; B=B-S1

S2i

S2i+1

A

B

RC5: Subkey Generation

- Sub-keys are a mix of original key with two words
- P=Odd((e-2)2w) – e is the natural log ≈ 2.71
- Q=Odd((Phi-1)2w) – Phi is golden ratio (1+sqrt(5))/2 ≈ 1.61
- Initialize a c-word sub-key array
- S0=P
- For i=1…2r+1
- Si=(Si-1+Q)
- Mix with key bits
- L is a c-word array filled with 0-padded concatenation of key bits
- c rounds the key bytes into words
- i=j=0; A=B=0;
- Do 3n times (n=max{2(r+1),c})
- A= Si=(Si +A+B)<<<3
- B= Lj=(Lj +A+B)<<<(A+B)
- i=(i+1) mod 2(r+1)
- j=(j+1) mod c

Variants in Other Block Ciphers

- Blowfish (Schneier)
- Simple: additions, XORs, and table lookups
- Table lookups may require large memory
- Variable key length
- CAST
- The round function differs from one round to next
- Int’l Data Encryption Alg (IDEA), Lai and Masey
- Plaintext, key, and ciphertext are divided to 4 parts
- Uses XORs, additions, and multiplications in 8 rounds
- 128-bit key, 52 16-bit subkeys (can be independent)
- Resists differential cryptanalysis
- Used in PGP

Triple DES (3DES)

- In 1999, DES becomes too weak
- NIST replaces DES with 3DES
- 3DES (EDE) uses three 56-bit keys

- C=Ek3(Dk2(Ek1(P)))
- P=Dk1(Ek2(Dk3(C)))
- Note: if K1=K2 then 3DES=DES
- Double encryption doesn’t work well
- Merkle-Hellman chosen plaintext man-in-the-middle attack requires only 2n+1 trials (instead of 22n)
- Quintuple encryption also ok
- C=Ek1(Dk2(Ek3(Dk2(Ek1(P)))

Stream Ciphers

Keystream

Generator

Ki

- A pseudorandom keystream generator
- Keystream depends only on generating key
- Keystream bits are XORed with the plaintext to produce the ciphertext, and vice-versa
- Similar to one-time pads, except that not strictly random
- Keystream period should be as long as possible
- Other options
- Keystream may change according also to previous encryptions, block index, etc.
- In synchronous stream ciphers, keystream does not depend on text, otherwise, it is called self-synchronizing

Pi

Ci

RC4

- Byte-based stream cipher, with variable key size
- Uses an S-box, with all possible 8-bit key-entries
- Initialized so that S[i]=i, i=0…255
- S[i]’s are initially permuted, based on the key
- j=0
- for i=0 to 255
- j=(j+S[i]+K[i]) mod 256; // K[i] is original key
- Swap S[i] and S[j]
- In each iteration
- Indices i,j are updated
- i=i+1 mod 256; j=(j+S[i]) mod 256
- S[i] and S[j] are swapped for current i,j
- K=S[(S[i]+S[j] mod 256]
- The keystream K is then XORed with the plaintext
- RC4 with up to 40-bit keys was approved by NSA, and is used in Lotus Notes, CDPD, WEP, and original SSL

Summary of Cryptography Algs

- Block by block
- Rounds structure
- Key generation
- Mixing key bits for confusion and diffusion
- Use of state matrix for session key
- Encryption
- Mix round key with plaintext for confusion/diffusion
- Bit permutation
- Substitution with S-boxes for non-linearity
- Data dependent operations (e.g., shifts) to add complexity
- Use of processor-friendly operations for software speed
- Key size, block size, many rounds add to security
- Multi-application of encryption with more key bits
- Block ciphers vs. Stream Ciphers

Advanced Encryption Standard (AES)

- NIST put out the RFP in 1997
- In meantime, 3DES replaces DES in 1999
- Main criteria for evaluation
- Security
- Cost and performance of implementation
- General evaluation of design features
- Five finalists (out of 21):
- In October 2000, NIST recommended Rijndael
- Approved 2002

Rijndael Block Cipher

- By Belgians Joan Daemen, and Vincent Rijmen
- Variables block size and key size
- Number of rounds determined by block and key size
- Does not use Feistel structure
- Instead, each round uses a state and 4 operations
- Non-linear layer, uses optimized S-boxes, for confusion
- 16x16 S-box with all byte values, and a separate inverse S-box
- Linear mixing layer for diffusion
- Row shifts on the state matrix
- Column mixes on the state matrix
- Key addition layer, using a simple XOR
- AES set to use Rijndael with 128bit blocks, key size of 128-192-256 bits, and 10-12-14 rounds

Main sources: Network Security Essential / Stallings

Applied Cryptography / Schneier

Cipher Block Modes of Operation

- FIPS 81 defines four “modes” of operation for block ciphers:
- Electronic Codebook (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback (CFB)
- Output Feedback (OFB)
- Other modes also developed, e.g., Counter Mode (CTR)
- Can work with any symmetric block cipher as the underlying encryption algorithm
- Many standard protocols, e.g., IPSec, allow the parties to select which block cipher to use

Cipher Block Modes Requirements

- Efficiency – not much overhead over the block encryption
- Robustness to chosen plaintext attacks where blocks can be set by attacker to reveal the key
- Robustness to ciphertext attacks, to protect against selective modifications
- Fault Tolerant to potential bit errors, not crashing or smashing the entire ciphertext/plaintext

Electronic CodeBook (ECB) Mode

- Simplest form
- Each block (e.g., 64 bits) encrypted separately
- As if there is a codebook of 264 entries (per key)
- Fast, easy to parallelize
- Relatively fault tolerant

- Easier target to known-plaintext attack
- cryptanalyst can rebuild the code book
- Susceptible to stereotypical parts of messages, statistical attacks

- Also easier target to modification attack
- E.g., replacing the target-account block in a bank money wiring communication

Cipher Block Chaining (CBC) Mode

- Encryption
- Ci=Ek(PiCi-1)
- C0=IV

- Decryption
- Pi=Dk(Ci)Ci-1

- Initialization vector modifies encryption of identical block sequences
- Can be chosen by source and sent in the clear (e.g. as C0)
- Or, encrypt random data in the first block
- Errors
- A bit of error in the plaintext will not extend the error
- A bit of error in the ciphertext will garble that block, and will alter same bit in the next block, but then CBC self-recovers completely
- Security
- A man-in-the-middle can easily append blocks in the end
- Can change a bit, knowing which bit will be affected in 2nd block

Cipher Feedback Mode (CFB)

IV

E

E

E

K

K

K

K1

K2

Kn

P1

P2

Pn

…

C1

C2

Cn

- Errors
- A bit of error in the plaintext affects all subsequent blocks but does not extend the error when decrypted
- A bit of error in the ciphertext affects same bit and next block, after which CFB self synchronizes

Counter Mode (CTR)

Counter+n-1

Counter

Counter+1

- Advantages:
- Parallelism
- Random access to specific block
- Requires only the encryption algorithm (advantageous when E and D have different algorithms, e.g. AES)

E

E

E

K

K

K

K1

K2

Kn

P1

P2

Pn

…

C1

C2

Cn

Summary

- Application of block ciphers to arbitrary-sized messages
- Encrypt one-block at a time
- Prevent same encryption to same text through feed-forward mechanisms
- Conceptually similar to avalanche
- Fault tolerance to communication errors (flipped bits in ciphertext/plaintext)

Key Generation, Distribution and Management

- The security of any cryptographic system depends on safe and effective key distribution and management
- frequent changes
- low computational and communication overhead
- Key Distribution Center (KDC) is a third-party that enables easier and more secure key management
- KDC is single most critical point of failure
- if KDC fails, many communication threads may fail
- KDC is a good place to attack
- Attacks on key generation algorithm
- Attacks on key distribution through impersonation or communication hijacking
- Attacks on KDC store or on human managers
- Most common implementation is Kerberos

Key Generation

- Key space should be large enough
- Selection from key space shall be random
- Humans select poor keys - prone to dictionary attack
- Some algorithms have weak keys that should be avoided (DES has 16 such weak keys)
- Example: ANSI X9.17
- Financial Institutions Key Generation Standard
- Pseudo random key Ri generated from previous key, time stamp
- Ri=3DESK(3DESK(Ti) Ri-1)
- Ti is time stamp bits
- It is recommended that seeds are generated from low-order bits of time stamps, or from time between keystrokes of administrator, etc.

Key Distribution Alternatives

- Physical Delivery
- Alice can select the key and deliver to Bob
- Charles, a trusted third-party, can select the key and deliver to both Alice and Bob
- Direct Delivery (encrypted)
- From Alice to Bob, encrypted with a previous key, or using a master key
- Encrypted communication with trusted third-party
- From Charles to both Alice and Bob, and encrypted with host-KDC keys (master keys) that themselves may have been delivered physically

Key Distribution (cont.)

- Choice of key distribution method depends also on network encryption needs
- Link encryption
- End-to-end encryption
- Link encryption
- Typically can use physical delivery, at least for master keys

- End-to-end encryption
- Physical delivery can be hard to implement
- Peer-to-peer encryption of keys is dangerous (catch one, catch all)
- Can use pre-set key, or a key generated concurrently by a token
- Can also use keys delivered by third party (data keys)
- Later we’ll see use of public key schemes

Session Key Distribution by KDC

- It is safer if KDC-host connection uses physically delivered key
- KDC-host communication shall also be mutually authenticated

Example: Ansi X9.17

- Financial Institution Key Management Standard
- Defines protocol to be used by banks to transfer encryption keys
- Defines a 3-level hierarchy of keys
- Master key (KKM), distributed manually
- Key-encrypting-keys (KKs), distributed online
- Data Keys (KD), also online, encrypted using KKs
- Encryption uses 3DES with one or two keys
- Each pair of banks must share a master key
- A new protocol, ANSI X9.28, was developed to cluster several banks around same master key
- Standard has been augmented to use DH key distribution (public key)

Example: Kerberos

- Common client/server access control protocol
- Unix, Windows
- Serves also as Key Distribution Center (KDC)
- Uses “tickets” to allow access to servers
- Ticket provides a “session” key T(c,s)=EKs(authinfo,Kc,s)

Ticket

Granting

Server

Grant

Server

Req

Server

Ticket

Req

Service

Grant

TGS

Client

Server

Req

TGS

Ticket

Kerberos

Authentication

Server (AS)

Review: Key Management Principles

- To reduce the risk of eavesdropping
- use different keys for different purposes
- generate new keys from old ones using hash function
- To reduce the risk of impersonation
- use mutual authentication when exchanging keys
- To reduce the risk of computer/physical break-in
- store most keys encrypted using master key
- save master keys in human memory, smart card, token, etc.
- use tamper-proof hardware to store keys
- destroy media on which keys were stored, even if were encrypted
- Other principles:
- Replace keys frequently
- Report compromised keys to KDC with timestamp
- Backup keys shall be broken and spread

Main sources: Network Security Essential / Stallings

Applied Cryptography / Schneier

Message Authentication

- Goal: offer protection against active attacks
- Impersonation
- Modification of contents
- Timing and/or Sequencing modification
- Replay
- Interruption
- A weak form of non-repudiation vis-à-vis other party
- Technical Requirements
- Verify that the message is authentic
- Verify that source is authentic
- Destination is verified through protocol

Message Authentication Approaches

- Conventional encryption
- Relies on the exclusivity and confidentiality of the key
- Message Authentication Code (MAC)
- A public function of the message and the key
- Hash functions
- A public function that maps the message to an authentication tag (no key!)
- HMAC
- Combination of hash and MAC

MAC Properties

- Message is authentic
- If the attacker modified the message, the MAC will likely not match the one calculated by the receiver
- Source is authentic
- No one else has the key to generate same MAC
- Hence, also non-repudiation (other party knows source)
- Message is in sequence
- Should add timestamp or other nonce to the message before calculating the MAC
- Any encryption algorithm can be used to generate MAC
- NIST recommended last n bits of DES-encryption of the message
- Note that for the purpose of authentication, MAC function need not be reversible

Message Authentication with One-Way Hash Functions

- A one-way hash function H, takes an input an arbitrary length message M, and produces a fixed-length hash value
- H must be hard to “reverse”, i.e. given H(M), its hard to find Ms
- H should be easy to compute (encryption algorithms are not)
- Collision Resistance
- H(M) should be hard to duplicate , i.e., given M it is hard to find M’ such that H(M)=H(M’)
- Sometimes, we may need strong collision resistance, i.e., hard to find arbitrary M, M’ such that H(M)=H(M’)
- H(M) is a fingerprint of the message M and is also called Message Digest (MD)

Message Authentication Protocol Using a One-Way Hash Function

- Using a symmetric secret / key (K)
- Compute H(M+K) as a MAC
- Using symmetric encryption
- Compute EK(H(M)) as the MAC (note that H(M) is much shorter than M, hence faster computation)

Simple Hash Functions

- Bitwise-XOR
- Not very secure, e.g., for English text (ASCII<128) the high-order bit is always zero
- Can be improved by rotating the hash code after each block is XORed into it
- Beware of a man-in-the-middle attack: if the message itself is not encrypted, it is easy to modify the message and append one block that would set the hash code as needed

Cryptographic One-Way Hash Functions

- Cryptographic hash functions are typically based on compression functions (f) that work on blocks (Mi)
- This structure (Merkle), resembles a Chained Block Cipher
- Produces a hash value for each fixed-size block based on its content and based on the hash value for the previous block
- Rabin suggests using symmetric encryption
- f=DES; Mi (message blocks) serve as the keys

M1

M2

Mn

h1

h2

hn-1

f

f

f

…

h

IV

Secure Hash Algorithm (SHA)

- Published by NIST as a standard in 1993; SHA-1 in 1995
- Input: Up to 264 bits, Output: 160 bit digest
- Pad to resist padding attack with “1000…0<message length>”

SHA-1 Basic One-Way Hash Block

- Process 512-bit block (Y)
- Initiates 5 32-bit Message Digest registers
- Fixed values determined by algorithm
- Apply compression functions
- 4 rounds of 20 steps each
- each round uses a different non-linear compression function fi
- add output registers from previous round

SHA-1 Compression Function

- Same structure for each of 4 20-rounds
- f, K are differently parameterized
- f is a bit-wise logical function (different one in each 20-round phase)
- Sk = k left-circular shifts
- W1…W16 from input (Yq)
- Other Ws are computed as XORs of earlier W’s, then circularly shifted once (SHA-0: no shift)
- In SHA-1 every output bit is function of every input bit

Other Famous MD Algorithms

- Recent attacks on SHA-1 (2005) reduce the effective search space for a colliding message M’ such that H(M)=H(M’)
- SHA-2, offered as a response, allows 256/512 bit digests
- NIST published a call for a new design (SHA-3) for 2012

Variable Length Hash Codes

- Some hash functions have good cryptographic qualities (confusion and diffusion), but generate short hash codes
- If the message digest is too short, it may be easier for the receiver to forge another message with same hash code (collision)
- Similarly, easier to find a (message, hashcode) pair that match
- Use the Birthday Paradox to select a “good” message on which the sender will sign, and a “fraudulent” message that would replace it
- Can use the following algorithm to enlarge a hash code
- Start with M0=M, H0=H(M)
- Generate M1 by appending H0 to M0, and generate H1=H(M1)
- Append H1 to H0
- Repeat until generated enough hash codes

Hash Function MAC (HMAC)

- HMAC Idea: Produce a MAC based on a cryptographic hash function
- Note that hash functions do not use a key, and therefore cannot serve directly as a MAC
- Motivations for HMAC:
- Cryptographic hash functions execute faster in software than encryption algorithms such as DES
- No need for the reverseability of encryption
- No US export restrictions
- Status: designated as mandatory for IPSec
- Used in many other protocols, e.g., Transport Layer Security (TLS/SSL), and SET

HMAC Algorithm

- Compute H1= H(K1+M)
- To prevent an “additional block” attack, compute again H2= H(K2+H1)
- K1 and K2 selected to maximize difference
- K+ =K padded with 0’s
- ipad= 00110110 x b/8
- opad=01011100 x b/8
- Compute time is same as H(M) plus 3 blocks

Summary

- Goals of message authentication
- Verify source (and sometimes destination)
- Verify message integrity, timing/sequence
- Main methods:
- Symmetric cryptography
- Message Authentication Codes
- HMACs (using one-way crypto hash functions)

Next Class

- Public key Cryptography

Download Presentation

Connecting to Server..