- By
**vala** - Follow User

- 155 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'IE MS5710 Symmetric Ciphers' - vala

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### IEMS5710Symmetric Ciphers

22 January 2013

Prof. CHAN Yuen-Yan, Rosanna

Department of Information Engineering

The Chinese University of Hong Kong

Cryptography

can characterize cryptographic system by:

type of encryption operations used

substitution

transposition

product

number of keys used

single-key or private (symmetric)

two-key or public (asymmetric)

way in which plaintext is processed

block

stream

IEMS5710 - Lecture 2

The Need of Symmetric Ciphers

- Confidentiality of data transmitted over the internet
- Confidentiality of data (e.g. files) stored in “trusted storage”
- E.g. DropBox
- E.g. Google Drive
- Principle: keep data encrypted until itis needed

Trusted storage

(trusted not to lose data)

Your local system

(trusted to be secure)

Smart Card

(temper resistant)

IEMS5710 - Lecture 2

Examples of symmetric ciphers

- Secure Socket Layer
- Use public key for exchanging the session key
- The session key is for symmetric ciphers
- DES, RC2, RC4, IDEA and Triple DES

SSL payload (ciphertext)

IEMS5710 - Lecture 2

How Secure is Dropbox?

- https://www.dropbox.com/help/27/en
- “Your files are stored securely and backed-up.”
- “Your account login is protected by many layers of security including password and two-step verification.”
- “Other Dropbox users can't see your files in Dropbox unless you deliberately share links to files or share folders.”
- “Dropbox employees are prohibited from viewing the content of files you store in your account…… Employees may access file metadata (e.g., file names and locations) when they have a legitimate reason…”

IEMS5710 - Lecture 2

How Secure is Dropbox?

- For our advanced users
- Dropbox uses modern encryption methods to both transfer and store your data.
- Secure Sockets Layer (SSL) and AES-256 bit encryption.
- Dropbox website and client software are constantly being hardened to enhance security and protect against attacks.
- Two-step verification is available for an extra layer of security at login. You can choose to receive security codes by text message or via any Time-Based One-Time Password (TOTP) apps
- Public files are only viewable by people who have a link to the file(s).
- Dropbox uses Amazon's Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon's data security from the S3 site or, read more about how Dropbox and Amazon securely stores data.

IEMS5710 - Lecture 2

How Secure is DropBox?

- how Dropbox and Amazon securely stores data
- Amazon S3.
- “Data stored within Amazon S3 is not encrypted at rest by AWS. However, users can encrypt their data before it is uploaded to Amazon S3 so that the data cannot be accessed or tampered with by unauthorized parties.”

IEMS5710 - Lecture 2

How about Google Drive?

- http://www.informationweek.com/security/privacy/google-drive-privacy-4-misunderstood-fac/232901076
- When people upload a file to the new Google Drive online file-storage service, who owns the file?
- From Google’s Terms of Service
- "When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations, or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display, and distribute such content."

IEMS5710 - Lecture 2

EncFS (http://www.arg0.net/encfs)

- Use SSL/AES
- 1024 block size
- Each file contains a unique IV (initial vector) data
- A password is used to decrypt this key.

IEMS5710 - Lecture 2

Examples of symmetric ciphers

- E.g. EncFS encryption for dropbox files
- http://isseykun.github.com/blog/2012/04/15/encrypt-dropbox-data-using-encfs-on-the-mac/

IEMS5710 - Lecture 2

Basic Terminology

- plaintext - original message
- ciphertext - coded message
- cipher - algorithm for transforming plaintext to ciphertext
- key - info used in cipher known only to sender/receiver
- encipher (encrypt) - converting plaintext to ciphertext
- decipher (decrypt) - recovering ciphertext from plaintext
- cryptography - study of encryption principles/methods
- cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key
- cryptology - field of both cryptography and cryptanalysis

IEMS5710 - Lecture 2

Symmetric Cipher Model

IEMS5710 - Lecture 2

Requirements

two requirements for secure use of symmetric encryption:

a strong encryption algorithm (E) and the corresponding decryption algorithm (D)

a secret key (K) known only to sender / receiver

mathematically have:

ciphertext= E(K, plaintxt)

plaintext= D(K, ciphertext)

assume encryption algorithm is known

Implies it is necessary for a secure channel to distribute key

IEMS5710 - Lecture 2

History of Cryptography

- Cryptography has roots that begin around 2000 B.C. in Egypt
- Ancient encryption technique also include the Caesar cipher
- In twentieth century, cryptography played a crucial military role in the outcome of both world wars. (E.g. the Enigma machine)
- Cryptography was also used asa tool to protect national secrets and strategies, and was subject to export control
- The proliferation of computers and communications systems in the 1960s brought withit a demand from the private sector for means to protect information in digital form and toprovide security services. E.g.
- Feistel cipher at IBMin the early 1970s
- The adoption of DES (the Data Encryption Standard) by the U.S. Federal Information Processing Standard for encryption
- Public key encryption scheme only appears in 1970s

IEMS5710 - Lecture 2

Enigma Machine

- An electro-mechanical rotor machine for generating ciphers and for the encryption and decryption of secret messages
- refer to http://en.wikipedia.org/wiki/Enigma_machine

IEMS5710 - Lecture 2

Historical Ciphers

- Substitution Ciphers
- Developed in ancient Egypt as series of disordered hieroglyphics
- The original message, or plaintext, was encoded using a substitution cipher. Each letter (or picture, in this case) of the plaintext was simply replaced by another letter of the alphabet, resulting in the encoded message, or ciphertext
- E.g. THIS IS A MESSAGE become

GAWE WE F KOEEFBO

IEMS5710 - Lecture 2

Historical Ciphers

- Caesar cipher
- Said to be used by Julius Caesar to communicate with his army
- Caesar is considered to be one of the first persons to have ever employed encryption for the sake of securing messages
- Using the Caesar Shift (3 to the right), the message,

"RETURN TO ROME"

would be encrypted as,

"UHWXUA WR URPH“

- Here, “3” is the encryption key, as well as the decryption key
- Caesar cipher is a symmetric cryptosystem
- Can you break the follow Caesar cipher?
- “MABL BL T LXVKXM”
- What techniques have you used in breaking it?

IEMS5710 - Lecture 2

Historical Ciphers

- Caesar cipher
- Said to be used by Julius Caesar to communicate with his army
- Caesar is considered to be one of the first persons to have ever employed encryption for the sake of securing messages
- Using the Caesar Shift (3 to the right), the message,

"RETURN TO ROME"

would be encrypted as,

"UHWXUA WR URPH“

- Here, “3” is the encryption key, as well as the decryption key
- Caesar cipher is a symmetric cryptosystem
- Can you break the follow Caesar cipher?
- “MABL BL T LXVKXM”
- What techniques have you used in breaking it?

IEMS5710 - Lecture 2

Cryptanalysis

objective to recover key not just message

general approaches:

cryptanalytic attack

brute-force attack

if either succeed all key use compromised

IEMS5710 - Lecture 2

Cryptanalytic Attacks

Ciphertext only

encryption algorithm and ciphertext are known to the cryptanalyst.

Known plaintext attack

knows: encryption algorithm, ciphertext, and oneor more plaintext-ciphertext pairs formed with the secret key.

Chosen plaintext attack (CPA)

knows: encryption algorithm, ciphertext, andchosen plaintext and its corresponding ciphertext generated with the secret key.

Chosen ciphertext attack (CCA)

knows: encryption algorithm, ciphertext, andchosen ciphertext and its corresponding decrypted plaintext with the secret key.

Chosen text attack

Knows all information known in both CPA and CCA

IEMS5710 - Lecture 2

Historical Ciphers

- Breaking the Caesar cipher
- Possible ways:
- Try every 26 possible shifts (brute force)
- Makes use of statistical data about English letter frequencies
- It is known that in a text of 1000 letters of various English alphabet occur with about the following relative frequencies:
- Use some frequently appear patterns, e.g. “THIS” “THIS IS” “A” “AN” “THE”

IEMS5710 - Lecture 2

English Letter Frequencies

IEMS5710 - Lecture 2

Historical Ciphers

- Vigenere Cipher (France, the 16th century)
- A 2-dimensional Caesar cipher table
- uses this table together with a keyword to encrypt a message
- E.g. encrypt “TO BE OR NOT TO BE THAT IS THE QUESTION”with “RELATIONSHIP”

Keyword: RELATIONSR ELATI ONSRE LATIO NSREL

Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION

Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY

R and T gives K

IEMS5710 - Lecture 2

Block vs Stream Ciphers

block ciphers process messages in blocks, each of which is then en/decrypted

like a substitution on very big characters

64-bits or more

stream ciphers process messages a bit or byte at a time when en/decrypting

many current ciphers are block ciphers

IEMS5710 - Lecture 2

Confusion and Diffusion

cipher needs to completely obscure statistical properties of original message

Shannon’s S-P net concept:

Use substitution and permutation to obtain:

diffusion – dissipates statistical structure of plaintext over bulk of ciphertext

confusion – makes relationship between ciphertext and key as complex as possible

To provide confusion & diffusion of message & key

IEMS5710 - Lecture 2

Feistel Cipher Structure

Horst Feistel devised the feistel cipher

partitions input block into two halves

process through multiple rounds which

perform a substitution on left data half

based on round function of right half & subkey

then have permutation swapping halves

implements Shannon’s S-P net concept

IEMS5710 - Lecture 2

Data Encryption Standard (DES)

Submitted by IBM

Early version invented by team led by Feistel in late 60’s

most widely used block cipher in world

adopted in 1977 by NBS (now NIST)

as FIPS PUB 46

encrypts 64-bit data using 56-bit key

has widespread use

has been considerable controversy over its security

subsequent events and public analysis show in fact design was appropriate

use of DES has flourished, especially in financial applications

still standardised for legacy application use

IEMS5710 - Lecture 2

DES Round Structure

uses two 32-bit L & R halves

as for any Feistel cipher can describe as:

Li= Ri–1

Ri= Li–1 F(Ri–1, Ki)

F takes 32-bit R half and 48-bit subkey:

expands R to 48-bits using perm E

adds to subkey using XOR

passes through 8 S-boxes to get 32-bit result

finally permutes using 32-bit perm P

IEMS5710 - Lecture 2

DES Encryption Overview

IEMS5710 - Lecture 2

DES Example

IEMS5710 - Lecture 2

Attacks to DES – Analytic Attacks

brute force search looks hard, but recent advances have shown is possible

in 1997 on Internet in a few months

in 1998 on dedicated h/w (EFF) in a few days

in 1999 above combined in 22hrs!

Now also have several analytic attacks on DES

these utilise some deep structure of the cipher

by gathering information about encryptions

can eventually recover some/all of the sub-key bits

if necessary then exhaustively search for the rest

generally these are statistical attacks

differential cryptanalysis - differential cryptanalysis compares two related pairs of encryptions

linear cryptanalysis - using a large number of trial encryptions to get linear equation for key bits

related key attacks

IEMS5710 - Lecture 2

Attacks to DES– Timing Attacks

attacks actual implementation of cipher

use knowledge of consequences of implementation to derive information about some/all subkey bits

specifically use fact that calculations can take varying times depending on the value of the inputs to it

particularly problematic on smartcards

IEMS5710 - Lecture 2

AES - Origins

Advanced Encryption Standard (AES)

clear a replacement for DES was needed

have theoretical attacks that can break it

have demonstrated exhaustive key search attacks

can use Triple-DES (do DES for three times) – but slow, has small blocks

US NIST issued call for ciphers in 1997

15 candidates accepted in Jun 98

5 were shortlisted in Aug-99

Rijndael was selected as the AES in Oct-2000

issued as FIPS PUB 197 standard in Nov-2001

IEMS5710 - Lecture 2

The AES Cipher - Rijndael

designed by Rijmen-Daemen in Belgium

has 128/192/256 bit keys, 128 bit data

an iterative rather than feistel cipher

processes data as block of 4 columns of 4 bytes

operates on entire data block in every round

key is expanded to array of words

designed to be:

resistant against known attacks

speed and code compactness on many CPUs

design simplicity

IEMS5710 - Lecture 2

AES Encryption Process

IEMS5710 - Lecture 2

AES Structure

IEMS5710 - Lecture 2

AES Round

IEMS5710 - Lecture 2

AES Decryption

IEMS5710 - Lecture 2

AES – ImplementationAspects

can efficiently implement on 32-bit CPU

redefine steps to use 32-bit words

can precompute 4 tables of 256-words

then each column in each round can be computed using 4 table lookups + 4 XORs

at a cost of 4Kb to store tables

efficient implementation was a key factor in its selection as the AES cipher

IEMS5710 - Lecture 2

Modes of Operation

block ciphers encrypt fixed size blocks

eg. DES encrypts 64-bit blocks with 56-bit key

need some way to en/decrypt arbitrary amounts of data in practise

NIST SP 800-38A defines 5 modes

have block and stream modes

to cover a wide variety of applications

can be used with any block cipher

IEMS5710 - Lecture 2

Electronic Codebook Book (ECB)

message is broken into independent blocks which are encrypted

each block is a value which is substituted, like a codebook, hence name

each block is encoded independently of the other blocks

Ci = EK(Pi)

uses: secure transmission of single values

IEMS5710 - Lecture 2

Electronic Codebook Book (ECB)

IEMS5710 - Lecture 2

Advantages and Limitations of ECB

message repetitions may show in ciphertext

if aligned with message block

particularly with data such graphics

or with messages that change very little, which become a code-book analysis problem

weakness is due to the encrypted message blocks being independent

main use is sending a few blocks of data

IEMS5710 - Lecture 2

Cipher Block Chaining (CBC)

message is broken into blocks

linked together in encryption operation

each previous cipher blocks is chained with current plaintext block, hence name

use Initial Vector (IV) to start process

Ci = EK(Pi XOR Ci-1)

C-1 = IV

uses: bulk data encryption, authentication

IEMS5710 - Lecture 2

Cipher Block Chaining (CBC)

IEMS5710 - Lecture 2

Message Padding

at end of message must handle a possible last short block

which is not as large as blocksize of cipher

pad either with known non-data value (eg nulls)

or pad last block along with count of pad size

eg. [ b1 b2 b3 0 0 0 0 5]

means have 3 data bytes, then 5 bytes pad+count

this may require an extra entire block over those in message

there are other, more esoteric modes, which avoid the need for an extra block

IEMS5710 - Lecture 2

Advantages and Limitations of CBC

a ciphertext block depends on all blocks before it

any change to a block affects all following ciphertext blocks

need Initialization Vector (IV)

which must be known to sender & receiver

if sent in clear, attacker can change bits of first block, and change IV to compensate

hence IV must either be a fixed value (as in EFTPOS)

or must be sent encrypted in ECB mode before rest of message

IEMS5710 - Lecture 2

Cipher FeedBack (CFB)

message is treated as a stream of bits

added to the output of the block cipher

result is feed back for next stage (hence name)

standard allows any number of bit (1,8, 64 or 128 etc) to be feed back

denoted CFB-1, CFB-8, CFB-64, CFB-128 etc

most efficient to use all bits in block (64 or 128)

Ci = Pi XOR EK(Ci-1)

C-1 = IV

uses: stream data encryption, authentication

IEMS5710 - Lecture 2

s-bitCipher FeedBack (CFB-s)

IEMS5710 - Lecture 2

Advantages and Limitations of CFB

appropriate when data arrives in bits/bytes

most common stream mode

limitation is need to stall (pause) while do block encryption after every n-bits

note that the block cipher is used in encryption mode at both ends

errors propagate for several blocks after the error

IEMS5710 - Lecture 2

Output FeedBack (OFB)

message is treated as a stream of bits

output of cipher is added to message

output is then feed back (hence name)

feedback is independent of message

can be computed in advance

Oi = EK(Oi-1)

Ci = Pi XOR Oi

O-1 = IV

uses: stream encryption on noisy channels

IEMS5710 - Lecture 2

Output FeedBack (OFB)

IEMS5710 - Lecture 2

Advantages and Limitations of OFB

needs an IV which is unique for each use

if ever reuse attacker can recover outputs

bit errors do not propagate

more vulnerable to message stream modification

sender & receiver must remain in sync

use with full block feedback

IEMS5710 - Lecture 2

Counter (CTR)

a “new” mode, though proposed early on

similar to OFB but encrypts counter value rather than any feedback value

must have a different key & counter value for every plaintext block (never reused)

Oi = EK(i)

Ci = Pi XOR Oi

uses: high-speed network encryptions

IEMS5710 - Lecture 2

Counter (CTR)

IEMS5710 - Lecture 2

Advantages and Limitations of CTR

efficiency

can do parallel encryptions in h/w or s/w

can preprocess in advance of need

good for bursty high speed links

random access to encrypted data blocks

provable security (good as other modes)

but must ensure never reuse key/counter values, otherwise could break (cf OFB)

IEMS5710 - Lecture 2

Summary: Feedback Characteristics

IEMS5710 - Lecture 2

Stream Ciphers

process message bit by bit (as a stream)

have a pseudo random keystream

combined (XOR) with plaintext bit by bit

randomness of stream key completely destroys statistically properties in message

Ci = Mi XOR StreamKeyi

but must never reuse stream key

otherwise can recover messages (cf book cipher)

IEMS5710 - Lecture 2

Stream Cipher Structure

IEMS5710 - Lecture 2

Stream Cipher Properties

some design considerations are:

long period with no repetitions

statistically random

depends on large enough key

large linear complexity

properly designed, can be as secure as a block cipher with same size key

but usually simpler & faster

RC4

Designed by Ron Rivest (RSA), simple but effective

variable key size, byte-oriented stream cipher

widely used (web SSL/TLS, wireless WEP/WPA)

key forms random permutation of all 8-bit values

uses that permutation to scramble input info processed a byte at a time

IEMS5710 - Lecture 2

RC4 Overview

IEMS5710 - Lecture 2

References

- William Stallings, Cryptography and Network Security Principles and Practices, 5/e, Pearson
- Chapter 2
- Chapter 3
- Chapter 5
- Chapter 6
- Chapter 7

IEMS5710 - Lecture 2

Download Presentation

Connecting to Server..