elec5616 computer and network security n.
Skip this Video
Loading SlideShow in 5 Seconds..
ELEC5616 computer and network security PowerPoint Presentation
Download Presentation
ELEC5616 computer and network security

Loading in 2 Seconds...

play fullscreen
1 / 32

ELEC5616 computer and network security - PowerPoint PPT Presentation

  • Uploaded on

ELEC5616 computer and network security. matt barrie mattb@ee.usyd.edu.au. pseudorandom number generators. Sources of random numbers are desirable in many applications: Session keys Deck shuffling Challenges Nonces Unfortunately truly random sources are not easy to come by:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'ELEC5616 computer and network security' - yule

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
elec5616 computer and network security

ELEC5616computer and network security

matt barrie


lecture 4 :: cyphers II

pseudorandom number generators
pseudorandom number generators
  • Sources of random numbers are desirable in many applications:
    • Session keys
    • Deck shuffling
    • Challenges
    • Nonces
  • Unfortunately truly random sources are not easy to come by:
    • Thermal noise in electric circuits
    • Timing of Geiger counter clicks
  • Instead applications need to make do with a pseudorandom number generator (PRNG).

lecture 4 :: cyphers II

pseudorandom number generators1
pseudorandom number generators
  • Desirable properties of PRNGs are:
    • Repeatability
    • Statistical randomness
    • Long period/cycle
    • Insensitive to seeds
  • PRNGs are often broken by:
    • Statistical tests to find patterns or bias in the output sequence
    • Inferring the state of internal registers from the output sequence
  • PRNGs are usually critically important parts of the system, and often a single point of failure

lecture 4 :: cyphers II

linear congruential generators
linear congruential generators
  • Linear Congruential Generators

xn+1 = (axn + b) mod c

    • e.g. Unix rand() function
    • a, b, c are constants
    • Period of generator is less than c
    • Cannot be used for security - easily predictable!
    • Only need two consecutive values to reconstruct the internal state.
  • Was used by an Internet casino who were so sure of their code, they published their algorithms!
    • With expected results…
  • Moral of the story: don’t use it!

lecture 4 :: cyphers II

linear feedback shift registers
linear feedback shift registers
  • Linear Feedback Shift Registers (LFSRs)
    • Seed is the initial value of the shift register
    • Feedback network based on polynomials over finite fields
    • Easy and very fast in hardware (1 bit per clock)
  • Problem:
    • Tap configuration can be determined from 2n output bits

n bit shift register

lecture 4 :: cyphers II

  • Wide applications in cryptography
  • Based on permutations of a 256 byte array
  • The seed is the initial value of the array
  • RC4’s key scheduling algorithm has problems (WEP weakness)


while (1) {

i = i + 1 (mod 256);

j = j + s[i] (mod 256);

swap (s[i], s[j]);

t = s[i] + s[j] (mod 256);

output s[t];




lecture 4 :: cyphers II

other prngs
other PRNGs
  • ANSI X9.17
    • Based on 3DES
    • Based on SHA or DES
    • Based on MD5 hashing and addition modulo 2128

lecture 4 :: cyphers II

using prngs
using PRNGs
  • Be extremely careful with PRNG seeds!
  • Hash PRNG inputs with a timestamp or counter
  • Reseed the PRNG occasionally
  • Use a hash function to protect PRNG outputs if PRNG is suspect

lecture 4 :: cyphers II

stream cyphers
stream cyphers
  • In a OTP, the secret key is the random n-bit stream.
  • Stream cyphers replace this random stream with a pseudorandom bitstream.
  • The secret key is the seed used to generate the pseudorandom stream.

E(m, seed) = m  RNG(seed)

D(c, seed) = c  RNG(seed)


pseudo random stream



lecture 4 :: cyphers II

security of stream cyphers
security of stream cyphers
  • Trade-off: excellent secrecy for ease of implementation / use.
  • The security of the cypher is dependent on the security of the pseudorandom number generator.
    • It should be computationally hard to determine either the seed or the next number in sequence.
  • Since the random number generator is deterministic, the seed should only be used for one session.
  • Stream cyphers are much faster than block cyphers.
  • To avoid using the same seed twice, we can encrypt it using stronger crypto and append to the ciphertext (to tell the other party):

E(m, k) = DES(seed, k) || m  RNG(seed)

(strong) (fast)

lecture 4 :: cyphers II

history of des
History of DES

1970s IBM Research Team led by Feistel devises a cypher called LUCIFER with a 128-bit message, ciphertext and keyspace.

1973 NBS (now NIST) asks for a proposed data encryption standard.

1974 IBM develops DES from LUCIFER.

1975 The NSA “fixes” DES

  • shortens key to 56 bits (on 64 bit blocks)
  • plays with S (substitution) boxes
  • additional permutations

1977 DES adopted and heavily used to secure financial transactions.

1991 Biham & Shamir discover modifications made DES resilient to differential cryptanalysis.

1993 Michael Wiener from Nortel theorises a USD$1M machine could crack DES in 3.5 hours using off the shelf components

1997 DES cracked by brute force by Distributed.net in 96 days.

1997 NIST asks for proposal for AES (advanced encryption standard)

1999 DES cracked by brute force again in 24 hours using Distributed.net and the EFF USD$250,000 Deep Crack machine

2000 Rijndael accepted as new AES standard (128/192/256 bit keyspace, 128 bit blocks).

lecture 4 :: cyphers II

  • Was the NSA playing the resource game?
  • "NSA doesn't want a strong cryptosystem as a national standard, because it is afraid of not being able to read the messages. On the other hand, if NSA endorses a weak cryptographic system and is discovered, it will get a terrible black eye." - EFF 1998

lecture 4 :: cyphers II

  • Data Encryption Standard (DES)
  • Block cypher (64-bit blocks, 56-bit key)
  • 16-round Feistel network:
    • A particular construction which is reversible:

c = DESk(m)

m= DESk(c)

    • Note: key schedule is reversed
  • Operates in many different modes
  • World’s most heavily used and analysed cypher
  • We still don’t understand it properly after 25 years
    • The NSA knew more than we do now, 20 years ago

lecture 4 :: cyphers II

feistel networks
feistel networks
  • Ladder structure
  • Input is split into two blocks, the left and right halves
  • The functions f1 … fk are arbitrary mappings:

f1 … fk : {0,1}n→ {0,1}n

left half

right half


each round:

li = ri-1

ri = li-1  fi(ri-1)


round 1

round 2

round 3










lecture 4 :: cyphers II

feistel structure
feistel structure
  • Express cypher as combination of successive round functions (can be any number of rounds):

Ψ(f1, f2, f3)

  • To decrypt, simply use the rounds in reverse order i.e. :

Ψ-1(f1, f2, … , f2k-1) = Ψ(f2k-1, … , f2, f1)

  • Round functions do not need to be invertible
  • If fi are random functions then Ψ() is indistinguishable from a random permutation under a chosen plaintext attack
  • This lets us turn any one-way function into a block cypher
  • We can thus optimise round functions individually

lecture 4 :: cyphers II

diffusion and confusion
Diffusion and Confusion
  • Many modern symmetric cyphers are based upon two principles:
  • Diffusion is used to dissipate the statistical structure of the plaintext into long range statistical properties of the cyphertext
    • We try to make the statistical relationship between plaintext and cyphertext complex so they key cannot be derived- ideally by having each plaintext bit affect as many as possible cyphertext bits.
    • In cypher design, we try to get the cyphertext symbol, digraph and trigraph frequencies as evenly distributed as possible, and ideally flipping a bit of the plaintext will result in a 50% probability of each bit flipping in the cyphertext
    • Diffusion is usually achieved through repeat application of a permutation function
    • Sometimes seen as a ‘P-Box’ in cyphers
  • Confusion is used to make the relationship between the cyphertext and the key as difficult as possible
    • Usually achieved through application of a complex substitution function
    • Usually seen in the form of a n x m bit ‘S-box’
    • Think of a n-bit address line into a n x m-bit RAM (storing a non-linear function)

lecture 4 :: cyphers II

des structure
DES structure

Initial permutation

to discourage




Plaintext split into

left and right halves

(each 32 bits,

expanded to 48)

  • S-boxes to confuse


  • P-boxes to diffuse


16 rounds

Key schedule s1..s16

derived from key

(each is 48 of 56 bits)

Inverse of

initial permutation

lecture 4 :: cyphers II

des internals
DES internals
  • 16 round Feistel network with functions f1 … f16 derived from the key (through the key scheduling algorithm)
  • DES can be defined by the following equations:

M = L0R0 # |L0| = |R0| = 32 bits

Li = Ri-1 # 16 rounds

Ri = Li-1 F(Ri-1, ki)

C = R16L16 #output

  • Each ki is the ith subkey derived from the key k according to a key schedule.

lecture 4 :: cyphers II

des round functions
DES round functions
  • The function F(x,ki): {0,1}32 x {0,1}48→ {0,1}32

x (32 bits)

ki (48 bits)

48 bits

48 bits





6 bits x 8



4 bits x 8

32 bits





lecture 4 :: cyphers II

avalanche effect in des
avalanche effect in DES
  • DES is designed so that a minor change in the key or the plaintext results in a dramatic change in the cyphertext.

Round Bit change in plaintext Bit change in key

(#bits different in cyphertext) (#bits different in cyphertext)

0 1 0

1 6 2

2 21 14

3 35 28

4 39 32

5 34 30

6 32 32

7 31 35

8 29 34

9 42 40

10 44 38

11 32 31

12 30 33

13 30 28

14 26 26

15 29 34

16 34 35

Change quickly avalanches, so difference between cyphertexts approaches that of any two chosen at random

(half the bits in error on average)

lecture 4 :: cyphers II

des is broken
DES is broken
  • DES has been found to hold up well against many forms of cryptanalysis, but fell to brute force.
  • The problem is that Moore’s Law has caught up.
  • Security is all about resources, and these resources ride the silicon curve.
    • 1993: Michael Wiener theorises USD$1M machine brute force in 3.5 hours.
    • 1997: www.distributed.net 78,000 PCs brute force DES in 96 days.
    • 1998: EFF Deep Crack machine (USD$250k) and Distributed.net breaks in less than a day (3 days for the whole keyspace)
    • 2001: Sub-USD$1M custom chip machine brute force in under 30 minutes.
    • 2003: FPGAs exploiting optimum cost/performance.

lecture 4 :: cyphers II

eff des cracker
EFF DES cracker
  • Based on low-volume gate array machine built with AWT
  • Exploits Hardware parallelism:
    • 24 DES Search Units / Chip
    • 64 Chips / Board (~1800 chips total)
    • 27 Boards total in 2 Sun VME Chasses
  • DES performed in 16 cycles
  • Clocked at 40MHz !
    • 2.5 Million keys / second (each unit)
  • Total Cost (1997): USD$250k
  • Brute force keyspace in 3 days

lecture 4 :: cyphers II

cryptanalysis cost metrics
cryptanalysis cost metrics

1993 Wiener’s theoretical machine 1.3 x 1010 d-s

1997 Distributed.net effort 6.5 x 1014 d-s

      • Assuming $1000/machine!

1998 EFF Deep Crack 6.5 x 1010 d-s

Moral of the story:

  • Highly-parallel special-purpose hardware is much more efficient than massively-parallel general-purpose processors.

The Future?

  • Cryptanalysis using modern FPGAs
    • e.g. Xilinx Virtex-II Pro – 125,000 CLBs and up to 4 PPC Cores @ 400MHz
    • Gain efficiencies using highly-parallel arrays of crack cores
    • FPGAs can clock @ 100-200MHz vs. 40MHz
    • 4x higher densities
    • Arbitrary function blocks in modern CLBs ideal for P/S-boxes
    • Exhaust space in 3-7 hours for same cost as DES cracker?

lecture 4 :: cyphers II

fpga cryptanalysis
FPGA Cryptanalysis
  • In 2003 Ian Howson and I examined cost/performance metrics for FPGA implementations of key search machines.
  • We showed that DES Cracker could be rebuilt using 622 Xilinx XC2S200E devices for a total hardware cost of $15,540.

lecture 4 :: cyphers II

des modes of operation
DES modes of operation
  • Electronic Code Book (ECB)
    • Each 64 bit block is encrypted separately.
    • Vulnerable to dictionary attacks.











lecture 4 :: cyphers II

ecb properties
ECB properties
  • Identical plaintext blocks result in identical cyphertext blocks
  • Blocks are enciphered independently
    • reordering cyphertext blocks results in reordered plaintext blocks
    • ECB thus not recommended for messages > 1 block or reuse over more than one message.
  • Error Propagation: one or more bit errors in a cyphertext block only affects the corresponding plaintext block
    • In general for a typical cypher decryption for this block results in random plaintext (i.e. 50% of plaintext in error)
  • Can strengthen through the use of random padding bits

lecture 4 :: cyphers II

cypher block chaining cbc
cypher block chaining (CBC)
  • Cypher Block Chaining (CBC)
    • Blocks are chained together
    • IV is some predetermined value












lecture 4 :: cyphers II

cbc properties
CBC properties
  • Identical plaintexts result in identical cyphertexts when the same plaintext is encyphered using the same key and IV.
    • Changing one or more of k, IV or m0 affects this.
  • Chaining dependencies
    • Cyphertext cj dependends on m0 … mj
    • Rearrangement of cyphertext blocks affects decryption
  • Error propagation
    • Bit error in cyphertext cj affects decyphering of cj and cj+1.
    • Recovered block m’j typically results in random bits
    • Bit errors in recovered block m’j+1 are precisely where cj was in error.
      • Attacker can cause predictable bit changes in mj+1 by altering cj
  • Bit Recovery
    • CBC is self-synchronising or cyphertext autokey in that if a bit error occurs in cj but not cj+1, then cj+2 correctly decrypts to mj+2

lecture 4 :: cyphers II

output feedback mode ofm
output feedback mode (OFM)
  • Output Feedback Mode (OFM) (effectively a stream cypher)













lecture 4 :: cyphers II

properties of ofb
properties of OFB
  • Identical plaintexts result in identical cyphertexts when the same plaintext is enciphered using the same key and IV.
  • Chaining dependencies
    • The keystream is plaintext independent
  • Error propagation
    • one or more bit errors in any cyphertext block results only in decipherment of that block in the precise position of error
  • Error recovery
    • OFB recovers from cyphertext bit errors but not bit loss (results in unalignment of keystream)
  • Throughput
    • Keystream may be independently calculated (e.g. precomputed)
  • IV must be changed if the key is reused

lecture 4 :: cyphers II

evaluating block cyphers and modes
evaluating block cyphers and modes
  • Estimated Security Level
    • Confidence grows the longer it has been openly analysed.
  • Key Size
    • An upper bound on the security of the cypher (i.e. brute force).
    • Longer keys have added costs to key generation, distribution, storage, difficulty to remember passwords, key recovery (!)
  • Throughput
    • Relates to affinity of design to implementation
  • Block Size
    • Larger is better but more costly
  • Complexity of Cryptographic Mapping
  • Data Expansion
  • Error Propagation
    • Effect of bit errors differs between cyphers and mode of operation

lecture 4 :: cyphers II

  • Handbook of Applied Cryptography
    • §7.1 - §7.4
  • Stallings (3rd Ed)
    • §3

lecture 4 :: cyphers II