1 / 39

CS363

Week 3 - Monday. CS363. Last time. What did we talk about last time? Secure encryption DES. Questions?. Assignment 1. Security Presentation. Yuki Gage. DES. DES internals. DES has 16 rounds The book calls them cycles

uriah-levine
Download Presentation

CS363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 3 - Monday CS363

  2. Last time • What did we talk about last time? • Secure encryption • DES

  3. Questions?

  4. Assignment 1

  5. Security Presentation Yuki Gage

  6. DES

  7. DES internals • DES has 16 rounds • The book calls them cycles • In each round, the input is broken into 2 halves, manipulated, and combined with part of the key Input Permutation f Left0 Right0 Key1 Left1 Right1 + Left0 Right0

  8. S-boxes • DES uses bitwise operations as well as lookup tables • DES has 8 substitution boxes (S-boxes) which take 6 bits of data and give back 4

  9. The function from the F circle • The expansion permutation takes 32 input bits and expands them into 48 bits while permuting them • 16 bits are repeated • These 48 bits are XORed with the round key • The resulting 48 bits are substituted through S-boxes which produces a 32 bit result • The final 32 bits are permuted

  10. Key schedule • The encryption key is 64 bits, but only 56 bits are used • The other 8 bits are for parity • Each of the 16 rounds has a 48 bit round key • To produce the round key, the left and right halves of the 56 bit key are independently shifted by either 1 or 2 bits, depending on the round • 48 bits are chosen and permuted by a key transformation box

  11. Final DES encryption • There is an initial permutation before the rounds • There is a final permutation after the rounds • Otherwise, each round feeds into the next one

  12. Decryption • The same algorithm is used for encryption and decryption • Input for round j is derived from round j – 1 • To work backwards, we can solve for round j - 1 • And by substitution: • We simply supply the round keys in backward order

  13. NSA controversy • The NSA tinkered with DES • They shortened the key length from the original 128 bits of Lucifer to 56 • They changed the S-boxes • People were concerned that the NSA had introduced a trapdoor so that they could read messages • Eventually, the NSA released information about the choice of S-boxes: • No S-box is a linear or affine function of its input • Changing 1 bit of the S-box input changes at least 2 bits of its output • If a single bit is held constant, changing the others should not radically change the total number of 1s or 0s in the output

  14. NSA exonerated • In 1990, researchers independently discovered differential cryptanalysis • It uses related plaintext-ciphertext pairs to trace small changes in input to the output • The changes the NSA made to the S-boxes made them significantly more resistant to differential cryptanalysis • Declassified explanations show that people at IBM and the NSA knew about differential cryptanalysis in the 1970s

  15. Key oddities • DES has four weak keysthat are their own inverse • Encryption = decryption for these keys • They are all 1s, all 0s, or half and half • DES has six pairs of semiweakkeys • Encryption with one key is the same as decryption with the other in the pair • Complements: • If c = DES(p, k) then c= DES(p, k) • These problems are easily avoidable • Don’t use weak or semiweak keys • People are usually not encrypting the negation of a plaintext with the negation of a key

  16. DES strengths • DES is fast • Easy to implement in software or hardware • Encryption is the same as decryption • Triple DES is still standard for many financial applications • Resistant to differential and linear cryptanalysis (247 and 243 known pairs required, respectively)

  17. DES weaknesses • Short key size • Brute force attack by EFF in 1998 in 56 hours then in 1999 in just over 22 hours • Brute force attack by University of Bochum and Kiel in 9 days in 2006 (but, using a machine costing only $10,000) • If you could check 1,000,000,000 keys per second (which is unlikely with a commodity PC), it would take an average of 417 days to recover a key

  18. Double and Triple DES

  19. Improving DES • The short key size leaves DES vulnerable to brute force attacks • How can we make up for this weakness? • Possibilities: • Encrypt twice with DES • Encrypt three times with DES • …

  20. Double DES • "DES is wrong if you listen to NIST, Double DES ain't no better, man, that got dissed" --MC Plus+ • Double DES encrypts a plaintext with DES twice, using two different keys • Double DES is susceptible to a meet-in-the-middle attack • This attack uses a space-time tradeoff • Although two keys should mean 56 + 56 = 112 bits of security or 2112 time for a brute force attack, the meet-in-the-middle attack can run in roughly 257 or 258 time, using 256 space

  21. Double DES attack Encrypt P1 Decrypt C1 • Two pairs of plaintexts and ciphertexts are needed • Encrypt P1 with all possible keys and save them • Decrypt C1 with all possible keys • If the result matches anything in the list, use the key to encrypt P2 • If that matches C2, you win! • On the left, I show all the decryptions, but only the encryptions need to be stored

  22. Triple DES • Although susceptible to a brute force attack, DES has no other major weaknesses • Double DES can be defeated by an extension of the brute force attack • What about triple DES? • Let EK(X) and DK(X) be encryption and decryption using DES with key K • Triple DES uses keys K1, K2, and K3 • C = EK1(DK2(EK3(M))) • Setting K1 = K2= K3 allows for compatibility with single DES systems • Triple DES is still a standard for financial transactions with no known practical attacks

  23. AES

  24. AES • Advanced Encryption Standard • Block cipher designed to replace DES • Block size of 128-bits • Key sizes of 128, 192, and 256 bits • Like DES, has a number of rounds (10, 12, or 14 depending on key size) • Originally called Rijndael, after its Belgian inventors • Competed with 14 other algorithms over a 5 year period before being selected by NIST

  25. History of AES • In 1997, NIST made a call for a new encryption standard to replace DES • The algorithms had to have these properties: • Unclassified • Publicly disclosed • Royalty-free • Symmetric block ciphers for blocks of 128 bits • Usable with keys of 128, 192, and 256 bits • 15 algorithms were chosen for further scrutiny • 5 algorithms were finalists • NIST said that the 4 runner-up algorithms had excellent security properties • Rijndael was chosen for its efficiency

  26. History of AES • The 15 algorithms were CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish • The 5 finalists:

  27. AES internals • AES keeps an internal state of 128 bits in a 4 x 4 table of bytes • There are four operations on the state: • Substitute bytes • Shift rows • Mix columns • Add round key

  28. Substitute bytes • Each byte is substituted for some other byte • This operation is similar to the S-box from DES • The substitution is based on the multiplicative inverse of the value in GF(28) • An algebraic structure is used instead of hand picking substitution value • 0 is used as its own multiplicative inverse • To break up patterns, the result of finding the multiplicative inverse is XORed with the value 99 | 0 1 2 3 4 5 6 7 8 9 a b c d e f ---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--| 00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 efaafb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

  29. Shift rows • For 128-bit blocks (those used in AES), the rows are shifted by a set amount • Row 1 is not shifted at all • Row 2 is shifted over by 1 byte • Row 3 is shifted over by 2 bytes • Row 4 is shifted over by 3 bytes • Rijndael has slightly different shifts for larger block sizes

  30. Mix columns • Mixing the columns is the most confusing part • An invertible linear transformation is applied to each column, diffusing its data along the column • This transformation can be viewed as “multiplication” by the following matrix 1 means don’t change the value, 2 means left shift by one bit, and 3 means left shift by one bit and XOR with the original value

  31. Add key • XOR the current round key with the state • This step is very simple, except that the key schedule that generates the round key from the overall key is complex

  32. AES rounds • AES supports key sizes of 128, 192, and 256 bits • Rijndael supports unlimited key size, in principle, as well as other block sizes • 128 bit keys use 10 rounds, 192 use 12, and 256 use 14 • Add round key First Round Normal Round Last Round

  33. AES pros and cons • Strengths • Strong key size • Fast in hardware and software • Rich algebraic structure • Well-studied, open standard • Weaknesses • Almost none • A few theoretical attacks exist on reduced round numbers of AES • No practical attacks other than side channel attacks

  34. AES attacks • No practical attacks exist on the full AES • With reduced numbers of rounds and strong attack models, there are some theoretical attacks • CP = chosen plaintexts • RK-CP = related key chosen plaintexts

  35. Side channel attacks • Attacks that rely on timing, measuring cache, energy consumption, or other ways an implementation leaks data are called side channel attacks • Several practical side channel attacks for AES do exist • In 2005, Bernstein found a cache-timing attack that broke an OpenSSL implementation of AES using 200 million chosen plaintexts and a server that would give him precise timing data • Later in 2005, Osvik et al. found an attack that recovered a key after 800 encryptions in only 65 milliseconds, with software running on the target machine • In 2009, Saha et al. found an attack on hardware using differential fault analysis to recover a key with a complexity of 232 • In 2010, Bangerter et al. found a cache-timing attack that required no knowledge of plaintexts or ciphertexts and could work in about 3 minutes after monitoring 100 encryptions

  36. AES vs. DES

  37. Upcoming

  38. Next time… • Finish AES • Public key cryptography background • Omar Mustardo presents

  39. Reminders • Keep reading Section 2.5 • Keep working on Assignment 1 • Due this Friday by midnight

More Related