cryptography foundations symmetric cryptographyorium.pw/univ/mei/ssrc/symmetricencryption.pdf© 2011...

© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 1

Cryptography Foundations

Symmetric cryptography (conventional encryption)


Outline

•  Symmetric cryptography –  Symmetric encryption algorithms

•  Attacks: brute-force vs. cryptanalysis –  Cipher block modes of operation –  Padding –  Encryption devices: location and management –  Key-distribution with symmetric cryptography


Outline


•  Attacks: Brute Force vs. Cryptanalysis –  Cipher block modes of operation –  Padding –  Encryption devices: location and management –  Key-distribution with symmetric cryptography


Symmetric cyphers •  Block-Oriented (or block ciphers)

–  Used with different block modes of operation •  Byte-oriented modes vs. N-bytes-block-oriented modes

–  Blocks with fixed size –  Key sizes and block sized defined (fixed) for each

algorithm (you must know it)

•  Stream-oriented (or stream ciphers) –  byte-stream-oriented or bit-stream-oriented operation –  Variable key-sizes (algorithm dependent) –  Fast to operate on stream-oriented inputs (bytes, bits)

•  Ex., real-time, iterative-traffic or low-latency communication requirements


Characterized by: –  Block size (larger means greater security) –  Key size (larger means greater security) –  Round transformation function (greater complexity

means more resistance) –  Number of rounds (multiple rounds increase security)

•  Type of operations in a round function –  Substitutions (Sboxes) –  Transpositions by permutations with possible block

expansion or block reduction (Pboxes), rotations (rotation tables)

–  Boolean operations (XOR) –  Sub-key generation in each round (from the input key) –  Algebraic operations (modular arithmetics, matrix

-operations, operations in GF2, etc.)


•  Security –  Remember the robustness and assessment criteria (brute

-force, test-analysis, cryptanalysis, …. previous classes) –  Requires complexity (complex transformations in each round),

large number of rounds, large keysize, large blocks •  Fast operation (performance)

–  Speed of the algorithm is a concern –  Simplicity (ex., HW implementations and embedded solutions,

fast computation, low computational cost, energy-savings, … •  Ease of analysis

–  Simplicity in the internal reference structure –  “analyzable”: formalisms and mathematical foundations

•  The interesting algorithms must balance these tradeoffs, maximizing each criteria


Horst Feistel, IBM, 1973

Base structure for many symmetric algorithms (ex., DES)

Decryption implemented as Encryption (input: ciphertext, and use of sub-keys in the reverse order)

In each round: Li = Ri-1 Ri = Li-1 xor F(Ri-1, Ki)


Symmetric block cyphers: AES, DES

Figures in AES:


Performance of algorithms

Comparisons in Java (standard JDK and Sun Crypto-Provider) http://www.javamex.com/tutorials/cryptography/ciphers.shtml http://www.javamex.com/tutorials/cryptography/hash_functions_algorithms.shtml

See also: Openssl speed benchmark (speed test library performance) http://wikis.sun.com/display/CryptoPerf/UltraSPARC+cryptographic+performance


•  Data Encryption Standard (DES) –  The most widely used encryption scheme, until 2000 –  The algorithm is reffered to the Data Encryption

Algorithm (DEA) –  DES is a block cipher

•  The plaintext is processed in 64-bit blocks •  The key is 56-bits in length


Base: Feistel structure: The overall processing at each iteration (round):

Li = Ri-1 Ri = Li-1 F(Ri-1, Ki)

•  Security concerns about: >The algorithm and the key length (56-bits) > Weak, semi-weak or potentially weak keys > 1998, EFF, DES cracker machine (3 days) > 10 hours (machine Doing 10^6 decryptions/microsec

DES Algorithm


Initial and final permutations

© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 13 Henric Johnson 13

16 Rounds Sub-Key Generation

For each roud


Expansion/Permutation (EP box) and Pbox

In: 32 bits

Out: 48 bits

EP Box

Pbox

In: 32 bits

Out: 32 bits


Substitution Boxes (for 16 rounds)

Ex: 011101

0011


S boxes (S1 to S4)

Note: values in each sBOX: 0 to 15 (0000 a 1111) Ex: 8º sexteto MS 011101 01 (row 1) 1110 (column 14) Then: 011101 3, then output is 0011

Valores de entrada: 0 (000000) a 63 (111111)

Ex: 011101

0011


Sboxes (S5 a S8)


Sub-Key Generation For each roud


Sub-key generation •  A sub-key is generated in each round •  PC1: two halfs (28 bits) obtained by permutation •  In each round, each half is rotated for the next round

•  16 rotations (one per round): a specific rotation is defined for each round

•  PC2: In each round, a permutation with reduction (56 > 48 bits)

Input Key (56 bits) 2 Initial Sub-Keys (28 bits) (Initial Permutation PC1)


PC2 sub-key rescheduling 56 bits (28 left + 28 right)

48 bits

Block Ri-1

XOR

S-BOX (round i)

PC2

Key-Rotation (for the next round)

Key-Rotation


Multiple Encryption & DES •  Clear a replacement for DES was needed

–  theoretical attacks that can break it –  demonstrated exhaustive key search attacks –  Cryptanalysis: demonstrated vulnerabilities –  Weak, Semi-Weak and Potentially Weak keys

•  AES is a new cipher alternative –  The “standard” symmetric encryption for the XXI century –  Promoted by different organizations: NIST, ANSI, etc…

•  Prior to this alternative was to use multiple encryption with DES implementations

•  Triple-DES is the chosen form –  Compatibility, during the adoption of AES


Double-DES ? No thanks…

•  Could use 2 DES encrypts on each block

C = [ EK2 ( EK1(P) ]

•  Issue of reduction to single stage with single key (1992)

•  … and have “meet-in-the-middle” attack –  works whenever use a cipher twice –  since X = EK1(P) = DK2(C) –  attack by encrypting P with all keys and store –  then decrypt C with keys and match X value –  can show takes O(256) steps


Triple-DES with Two-Keys

•  hence must use 3 encryptions –  would seem to need 3 distinct keys

•  but can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P))) –  Encrypt & decrypt equivalent in security –  If K1=K2 then can work with single DES (compatibility)

•  standardized in ANSI X9.17 & ISO8732 •  Effective key length of 112 bits •  no current known practical attacks

–  But the use of 3 keys is better (improvement of the key-length effect)


•  Although are no practical attacks on two-key TripleDES have some indications

•  can use Triple-DES with Three-Keys to avoid even these C = [ EK3 [ DK2 (EK1(P) ] ]

•  has been adopted by some Internet applications, eg PGP, S/MIME

•  Effective key lenght: 168 bits

Paranoid ? Use N times DEA with N different keys Problem ?

Note: Triple or N-encryption-decryption can be applied to any block cipher algorithm


•  TEMK – Triple Encryption with Minimum Key Constants T1, T2 and T3 and Two initial Keys: K1, K2 to derive three keys: KX1, KX2, KX3 for triple encryption KXi = D(K2, E(K1,Ti))

•  Use of Triple encryption modes (ex., Inner CBC, Outer CBC) •  Triple encryption with prefix-pads (pad size < block size) •  Doubling Block Length Space •  Ntuple Encryption: ex., n=5, 3 keys,

C=Ek1(Dk2(Ek3(Dk4(Ek5(P))))) •  Witening technique: C= K3 XOR E( K2, ( P XOR K1) ) •  Cascading multiple block ciphers: it is at least as hard to

break as any of its component ciphers •  Combination technique

–  Random bit-string R with the same size as M –  C = E(K1, R) XOR E(K2, (M XOR R) )


•  International Data Encryption Algorithm (IDEA) –  128-bit key –  Used in PGP

•  Blowfish –  Easy to implement –  High execution speed –  Run in less than 5K of memory


•  RC5 –  Suitable for hardware and software –  Fast, simple –  Adaptable to processors of different word lengths –  Variable number of rounds –  Variable-length key –  Low memory requirement –  High security –  Data-dependent rotations

•  Cast-128 –  Key size from 40 to 128 bits –  The round function differs from round to round


•  Skypjack –  Example of simple symmetric crypto, interesting for

small devices and HW implementation (very usual before AES implementations in HW for embeded systems and small devices, such as micro-sensos, motes, etc…


Symmetric block cyphers and characteristics

Criptografia Simétrica > Estabelecimento de canais seguros (Confidencialidade) > Problemas da partilha (distribuição) das chaves. Criptografia Assimétrica •  Confidencialidade: cifra com chave pública •  Autenticidade: assinaturas (cifra com chave privada) •  Envolver sínteses (one-way hashing nas assinaturas) •  Não repúdio: garantida no pressuposto de não revogação da

chave num dado tempo > Operação mais lenta

Alg. Key size Rounds Structure Applications Operations (standadization)

DES

3DES

IDEA

TEA

Blowfish

RC5

Cast-128

AES 128, 192, 256 10,12,14

56

112/168

128

128

< 448

< 2048

40-128

16

48

8

32

16

< 255

16

XOR, S-boxes, P-Boxes EP Boxes, Rotations, ...

idem

XOR, addition mod 2^16 ,Multiplication mod 2^16

XOR + shift

XOR + Variable S-boxes

Addition, subtraction XOR and rotation operations

Addition, Subtraction, XOR, Rotation and S-boxes

S boxes, Matrix SR-MC, XOR

SET, Kerberos

Financial standards E-commerce, PGP S/MIME, SSL

PGP, SSL

SSL

PGP

Many: promoted as a standard after 2000

Jump AES Later

Later

Later


Symmetric block cyphers and characteristics

Alg. Key size Rounds Structure Applications Operations (standadization)

Skypjack 4 x 8 = 32

XOR, P-Boxes Matrix-based Exp....

Sensors, WSN communication

80 bits


Skypjack

•  SKIPJACK is a 64-bit codebook utilizing an 80-bit cryptovariable (Key)

•  SKIPJACK encrypt/decrypt 4-word (64-bit) data blocks by alternating between the two stepping rules (A and B)

•  Input = Wi0, 1 ≤ i ≤ 4, (i.e., k=0 for the beginning step), Counter

initialized = 0 •  Steps (32 rounds of 8 step rules): Rules A, B, C, D

–  The Counter Increment by one after each step •  The Output = Wi

32, 1 ≤ i ≤ 4

Wi0

Wi32

32 rounds


Decryption Rule (A-1 and B-1)

W1k-1= [Gk-1]-1 (w2

k) W2

k-1= w3k

W3k-1= w4

k

W4k-1= w1

k ⊕ w2k ⊕ counterk-1

W1k-1= [Gk-1]-1 (w2

k) W2

k-1= [Gk-1]-1 (w2k) ⊕ w3

k ⊕ counterk-1 W3

k-1= w4k

W4k-1= w1

k

Rule A-1

Rule B-1


G - Permutation


Design Features in HW •  SKIPJACK module implemented “easily” as a

peripheral HW device (as a crypto module) with 16-bit host interface

•  Data interface to the module using read/write operation to the registers

•  Single design for Encryption and Decryption - Based upon a flag in control register

•  Device specific look-up ROMs used for look-up tables –  Fast, Low-memory requirements, Weak Energy

requirements (for the case of wireless devices with autonomous batteries)


F -Table and Cryptovariable F -Table •  The F function is a G permutation in a look up

table –  Row = The higher order 4-bit index –  Column = The lower order 4-bit index

Cryptovariable •  The Cryptovariable (key) is 10 bytes = 80 bits

long (labeled 0 through 9) and used in its natural order

•  Cryptovariable subscript is used in G-Permutation are interpreted mod -10


Example of Top Level Design •  Two major verilog module

–  Regmem module for external I/O interface –  Algorithm module for encrytion/decryption


Memory Map •  13 total registers

•  12 for data interface •  1 register for control


Interface Description •  Device Inputs

–  Input data buffer: 4 word (64-bits) –  Cryptovariable (key) buffer: 5 word (80-bits) –  Operating flag:

•  Encrypt/Decrypt (1 for encryption, 0 for decryption)

•  Start (writing a 1 starts the operation) •  Device Outputs

–  Output data buffer: 4 word (64-bits) –  Operating flag:

•  Done (a 1 indicates that the last operation is complete)


Algorithm Module


Algorithm Module - Blocks •  Control State Machine

–  Controls the encryption/decryption process; K-Counter, Register Loading, Done indication bit

–  Triggered by the Start command bit in control registers •  Fiestel Module

–  Implements the G and G-1 function using logic and 4 look-up tables for F function

•  P_reg1 through P_reg4 –  used for SKIPJACK data operation –  Input buffer can be reloaded with new data while operation is

performed on the previous data - Speeds up throughput •  K-Counter

–  Up/Down counter with preset and reset


Algorithm Module - State Machine •  5-State machine to control both

encryption/decryption


Algorithm Module - Feistel Module


Feistel Module - Description •  Single module to compute G and G-1 function •  Control based upon Enc_Decn control bit •  Reverses the input byte order to perform G-1

function (flipping the Fiestel structure to G function)

•  4 look-up ROMs (Altera specific) to implements F function

•  4 multiplexers 10:1 to select one of the 10 CV byte, controlled from the k-cntr look-up mechanism

•  One 32 entry look-up ROM to eliminate mod 10 computation of 4k, 4k+1, 4k+2, 4k+3

•  4 multiplexers 2:1 (4-bit) to select the index for the encryption or decryption


AES


AES (Advanced Encryption Standard) Origins and characteristics •  clear a replacement for DES was needed

–  have theoretical attacks that can break it –  have demonstrated exhaustive key search attacks

•  can use Triple-DES – but slow, has small blocks •  US NIST issued call for ciphers in 1997 •  15 candidates accepted (Jun/98), 5 were shortlisted in Aug/99 •  Rijndael was selected as the AES in Oct-2000 •  issued as FIPS PUB 197 standard in Nov-2001 •  designed by Rijmen-Daemen in Belgium •  an iterative rather than feistel cipher

–  processes data as block of 4 columns of 4 bytes –  operates on entire data block in every round

•  designed to be: –  resistant against known attacks –  speed and code compactness on many CPUs –  Simple to analyze


AES Requirements NIST Established the following reference criteria for proposals: •  Secret key / symmetric block cipher •  128-bit data, 128/192/256-bit keys •  stronger & faster than Triple-DES •  active life of 20-30 years (+ archival use) •  provide full specification & design details •  both C & Java implementations •  NIST have released all submissions & unclassified analyses


AES structure Not a Feistel structure … •  Data block of 4 columns of 4 bytes is state (128 bits) •  Key is expanded to array of words (44 words of 32 bits)

•  Has 9/11/13 rounds in which state undergoes: –  I : byte substitution (1 S-box used on every byte) –  II : shift rows (permute bytes between groups/columns) –  III : mix columns (subs using matrix multipy of groups) –  IV : add round key (XOR state with key material) –  view as alternating XOR key & scramble data bytes

•  Initial XOR key material & incomplete last round •  With fast XOR & table lookup implementation


Advanced Encryption Algorithm (AES)

•  Internal structure

•  Ex., 10 rounds for 128 bit keys

•  Successive processing of block-state arrays, combined with the expanded key

128 bit sub-key in each round


Input/Output State Array and Key Expansion

16 rounds of successive transformation of a 128 bit blocks (state arrays), organized as a square matrix of bytes (16x16 bits, ordered by column)

Key expanded from initial size (as a square matrix of bytes) to 44 columns (44 words, 4 bytes each)


Byte Substitution •  A simple substitution of each byte (defined) •  Uses one table of 16x16 bytes containing a permutation of all

256 8-bit values •  Each byte of state is replaced by byte indexed by row (left

4-bits) & column (right 4-bits) –  eg. byte {95} is replaced by byte in row 9 column 5 –  which has value {2A}

•  S-box constructed using defined transformation of values (byte-to-byte substitution of the block), byte values as polynomials in GF(28)

•  designed to be resistant to all

known attacks


Shift Rows •  a circular byte shift in each each

–  1st row is unchanged –  2nd row does 1 byte circular shift to left –  3rd row does 2 byte circular shift to left –  4th row does 3 byte circular shift to left

•  decrypt inverts using shifts to right •  since state is processed by columns, this step permutes

bytes between the columns


Mix Columns •  each column is processed separately / each byte is replaced

by a value dependent on all 4 bytes in the column •  effectively a matrix multiplication in GF(28) using prime poly

m(x) =x8+x4+x3+x+1


Add Round Key •  XOR state with 128-bits of the round key •  again processed by column (though effectively a series of

byte operations) •  inverse for decryption identical

–  since XOR own inverse, with reversed keys •  designed to be as simple as possible

–  a form of Vernam cipher on expanded key –  requires other stages for complexity / security


Advanced Encryption Algorithm (AES)

•  XXXXX I

II

III

IV


Stream ciphers

•  Block cipher (with ECB mode of operation)

•  Structure for stream ciphers •  Possible implementation with block ciphers. •  How ?


Stream ciphers •  process message bit by bit (as a stream) •  have a pseudo random keystream •  combined (XOR) with plaintext bit by bit •  randomness of stream key completely destroys statistically

properties in message –  Ci = Mi XOR StreamKeyi

•  but must never reuse stream key –  otherwise can recover messages (cf book cipher)

•  some design considerations are: –  long period with no repetitions –  statistically random –  depends on large enough key –  large linear complexity

•  properly designed, can be as secure as a block cipher with same size key

•  but usually simpler & faster


RC4 •  Proprietary cipher owned by RSA DSI •  Another Ron Rivest design, simple but effective •  Variable key size, byte-oriented stream cipher •  Widely used (web SSL/TLS, wireless WEP) •  Key forms random permutation of all 8-bit values •  Uses that permutation to scramble input info processed a

byte at a time


RC4 Key Schedule •  starts with an array S of numbers: 0..255 •  use key to well and truly shuffle •  S forms internal state of the cipher

// Initialization, S and T for i = 0 to 255 do

S[i] = i T[i] = K[i mod keylen])

// Initial Permutation of S j = 0 for i = 0 to 255 do

j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])


RC4 Encryption •  encryption continues shuffling array values •  sum of shuffled pair selects "stream key" value from

permutation •  XOR S[t] with next byte of message to en/decrypt

i = j = 0 for each message byte Mi

i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) Ci = Mi XOR S[t]


RC4 encryption model •  Algorithm explained in Stallings, Network Security

Essentials (see section 2.4, Chapter 2)


RC4 Security •  claimed secure against known attacks

–  have some analyses, none practical •  result is very non-linear •  since RC4 is a stream cipher, must never reuse a key •  have a concern with WEP, but due to key handling and/or

pattern-repetitions rather than RC4 itself


Other stream ciphers •  SEAL •  A series (ex., A5, A8, GSM)


Outline


•  Attacks: Brute Force vs. Cryptanalysis –  Cipher block modes of operation –  Padding –  Encryption devices: location and management –  Key-distribution with symmetric cryptography


Also referred as conventional encryption, secret-key encryption or single-key encryption, or shared-secret key encryption

(intelligible)

M C={M}K M={C}’K X Y= E[ K, X ] X=D [ K,Y ]

Notation:

K K M M C

Plaintext or cleartext

ciphertext Plaintext or cleartext


Block ciphers •  Modern symmetric methods (modern cryptography) •  Applied cryptography (computers, devices, HW, SW, …)

–  Block-based design principles –  Initially inspired by classic methods (adapted for computers) ….

More complexity –  Reference on “standard” structures: Ex., Feistel network structure –  Statistical properties –  Standardization –  Attacks:

•  Brute Force attacks •  Differential and Linear Cryptanalysis principles

–  Algebraic structures and operations •  Mathematic foundations


Stream ciphers •  Modern symmetric methods (modern cryptography) •  Applied cryptography (computers, devices, HW, SW, …)

–  Stream-oriented processing –  Fast (ex., real-time bit-by-bit encryption/decryption) –  Also interesting for byte-streaming

•  Interactive applications (ex., SSH) •  Download of byte-streams (ex., WEB, HTTP)

– Use of algebraic fast computations, boolean operations, modular arithmetic


Modern cryptography •  Key points

–  Secrecy is in the “key” (not the algorithm, or its implementation) –  Publicly available, open specification, open validation

•  More scrutiny … more security •  Key-space, block-size implications •  Cryptanalysis: is the “age” of an algorithm an advantage ?

•  “Modern” symmetric encryption methods – Algebraic structures

•  Finite fields: groups, rings and fields •  Modular arithmetic •  Euclidean algorithm •  Finite fields of the form, GF(p) •  Polynomial arithmetic •  Finite fields of the form GF(2^n)


Symmetric algorithms •  Block-oriented symmetric ciphers

–  Ex., DES, TripleDES, IDEA, Skypjack, RC5, RC6, AES, Blowfish, Toofish, CAST-128, ...

–  Different modes of operation: ECB, CBC, CFB, OFB, CTR, ....

•  Stream-Ciphers –  Ex., RC4, SEAL, Katsumi, A-series (GSM), etc –  Bit-by-bit operation –  Byte-stream based transformations

•  Hybrid structure is also possible: – Stream Ciphers implemented with Block-Cipher

building blocks


AES - Advanced Encryption Standard >> •  Originally Rijndael from Daemen and Rijmen

–  Substitution of DES (NIST Call for proposals) –  http://en.wikipedia.org/wiki/Advanced_Encryption_StandardEvaluation –  Criteria for AES

•  Keys: 128, 192, 256 bits, Block sizes: 128 bits •  High dispersion with a simple (auditable) and fast

internal structure and algebraic proofs –  Block-operations in successive rounds

»  Block operated as a matrix »  Substitution Boxes »  Shift rows »  Mix columns »  XOR with sub-keys (generated form an expansion of the initial key)

•  Implementation issues: simple and fast implementations in SW and HW, simple auditing

•  Best indicators from all the NIST defined tests (CMVP)


Symmetric cryptography requirements (1) •  An opponent who knows the algorithm and has access to

one or more ciphertexts (C1, C2, …Ci, … Cn)

–  would be unable to obtain the respective plaintexts (P1, P2, … Pi, … Pn), if she/he don’t know the key K used to calculate Ci={Pi}K

–  would be unable to figure out the key K, even if she/he is in possession of a number of pairs (Pi, Ci), with Ci = {Pi}K

Security properties of symmetric ciphers

•  Security in a symmetric encryption: depends on the secrecy of the secret key (as an input parameter for the encryption/decryption algorithm) not from the secrecy of the algorithm


Symmetric cryptography requirements (2) •  Security in symmetric cryptography requires:

–  Sender and receiver (principals in a secure communication): must have obtained copies of the key K in a secure way (need a secure key-distribution protocol or secure key-establishment service)

–  Must keep the shared keys K secure Key storage is an important concern

–  Key exposition is an important concern

–  Possible rekeying mechanisms (key-refreshments) for Perfect Backward Secrecy (PBS) and Perfect Future Secrecy (PFS)

•  Prevention from possible compromising of keys •  Key-Independence (“perfect”) •  Fast or efficient rekeying may be an issue


Symmetric cryptography assessment •  Performance, implementation issues, test/certification •  Security concerns:

–  Key size vs. Block Size: Robustness under Brute-Force Attacks –  Cryptanalysis attacks

•  Cryptanalysis –  Differential cryptanalysis vs. Linear cryptanalysis –  Dispersion and entropy: formal distance tests between identical blocks

resulting from different transformations of the same plaintext block •  Kasiski test: distance decomposition in prime factors and period

evaluation with high probability as the CGD of the majority of evaluated distances

•  Coincidence test: % of similar symbols in identical overlapping cryptograms in a progressive displacement

–  Certification test programs and tools (ex., NIST CRYPTIK, METRIX

•  http://csrc.nist.gov/groups/STM/cavp/


Symmetric cryptography assessment •  Other current formal security verifications and proofs on symmetric

cryptography: –  Sensibility to initial setup conditions

•  Ex: Consequences in “one” bit changes

–  Evaluation of uniform distribution characteristics

–  Binary balance and mean entropy for a large number of generated keys (and consecutive sub-keys) and a large number of blocks (and consecutive sub-blocks)

–  Auto and Cross Correlation in large number of generated keys /and consecutive sub-keys)

–  Resistance to statistical attacks on pseudo-random generation mechanisms

–  Performance/adaptability for specific purposes (HW, RAM, OS primitives, etc)


Robustness and computational security criteria •  Robustness: if it is impossible (computationally impossible)

to decrypt a message on the basis of the ciphertext plus the knowledge of the encryption/decryption algorithm

•  Computational security criteria: –  Infinite time to break with available computing power and

resources (processing power MIPS, memory, storage,…) •  what is “infinite time” ?

–  Ex., More than the universe lifetime … 10^11 years ? –  Ex., More than the universe time in several orders of magnitude ? –  Finite time to break … but time exceeds the useful lifetime of the

protected information

–  Finite time to break but requires infinite or impossible computing power and resources

•  what is “impossible computing power” ? –  Ex., A quantity of computers requiring more silicon or germanium atoms

than the total quantity of atoms (estimated) available in our galaxy ? –  Ex., Processing speed required will cause the fusion of the materials ? –  Available computing can break before the useful lifetime of the

protected information … but the cost (money) of such computing resources exceeds the value of the protected information


Big numbers [Schneier 1996]


Without no inherent mathematical weaknesses: Brute-force attack

1 computer Computing Power aggregation

On average: half of key space searched

Practical terms: need more than key search -  Plaintext knowledge -  More difficult in other cases: binary, compressed, hashed data


DES, IDEA, RC5, TEA, CAST-128, AES-128, AES-192, AES-256

DES

IDEA, RC5, TEA CAST-128, AES-128

TDEA / 3DES

AES-192

AES-256

10^11 – Universe lifetime


Moore’s Law and other predictions •  http://en.wikipedia.org/wiki/Moore's_law •  Processing power doubles, each 18 months •  In 10 years, computers will be 100 times more powerful

(general resources). –  A desktop will fit into a cell phone –  Gigabit wireless connectivity everywhere –  Personal networks will connect our computing devices and the

remote services we subscribe to.

•  Other aspects of the future are much more difficult to predict –  Anyone can not predict what the emergent properties of 100x

computing power will bring: new uses for computing, new paradigms of communication. A 100x world will be different, in ways that will be surprising.


More brute-force attack estimations •  Moore Law (computing power):

–  double in each 18 months …. •  Cost estimation to break

2010

2034

2058

2082

2106

2130

2154

2178

2202

2226

2250

2274

Key size Year (attack)

80

96

112

128

144

160

176

192

208

224

240

256 Extr

apol

atio

n us

ing

the

Moo

re la

w Symmetric Alg. (key sizes)

Public-Key (ECC)

Public Key (RSA)

Time to Break

Storage needs

56 112 420 < 5 min Trivial

80 160 760 600 months

4GB

96 192 1020 3x10^6 years

170GB

128 256 1620 10^16 years

120TB

Robert Silverman, Technical Report RSA Laboratories, 2000

Ex., Breaking with $10 Millions in 2000:


Brute-Force conclusions •  Even if managed to speed up by a factor of 1 trillion (10^12)

Brute force attacks on 128 bit keys require 1 million years

•  So, in practice, 128 bit keys (no weak keys, generated randomly and securely established and maintained) are unbreakable with brute-force attacks

•  From this baseline the next security problem is the possible cryptanalysis attacks against specific algorithms


Cryptanalysis •  Process of attempting to discover the plaintext or key, from

the known or available information •  Cryptanalytic attacks: opponents using cryptanalysis

+ di

fficu

lt - d

iffic

ult

Mor

e co

mm

only

em

ploy

ed

Hig

h se

curi

ty

crite

ria


Confidentiality using symmetric encryption •  Best-Practices and Bad-Practices •  Concerns behind keys:

–  Key maintenance, Key-exposition –  Key-distribution, Key-establishment –  Placement of the encryption/decryption function –  Key-generation process and (random)-number generation –  Key-generation process and “weak-keys” discarding –  Perfect forward vs. backward secrecy –  Rekeying needs –  Recuperation of keys

•  How to use Cipher Block Modes of operation in a secure way (or how to choose the correct mode)

•  Padding and its relevance •  Combination of methods: secure combination ? •  Dynamic configuration of cipher-suites and security association

parameters / protocol design and implementation


Key-management in symmetric cryptography •  The previous problems are very relevant !

–  In symmetric cryptography the key is the same for encryption/decryption

•  Secret key-shared –  For 2 principals: 1 shared key

N principals: n(n-1)/2 keys O(n2)

Problem for secure-key-distribution, establishment and management

Non KDC based (pre-established keys) KDC based (client/server model) Redundant KDCs (client/server group), ex., 1, 2, …

3 principals: 3 keys 4 principals: 6 keys … 6 principals: 15 keys


Assessment approaches •  Assessment classic techniques

– Kasisky tests •  Frequency analysis •  Superposition and coincidence counting

– Friedman tests (variance analysis) •  See statistical analysis

–  http://en.wikipedia.org/wiki/Comparison_of_statistical_packages

– Other tests: •  Uniform distribution •  Binary balance (“0” and “1” distribution) •  Entropy metrics (ex., medium value in two

consecutive keys •  Auto-Correlation or cross-correlation


Assessment approaches – Conjugated statically tests in a battery (tools)

•  Ex., Randomness tests: http://stat.fsu.edu/pub/diehard

•  Assessment or certification programs and tools •  Ex., NIST: Ex: http://csrc.nist.gov/groups/ST/toolkit/index.html


Outline

•  Symmetric cryptography –  Symmetric encryption algorithms –  Cipher block modes of operation –  Padding –  Encryption devices: location and management –  Key-distribution with symmetric cryptography


Modes of Operation

•  Block ciphers encrypt fixed size blocks –  eg. DES encrypts 64-bit blocks with 56-bit key

•  need some way to encrypt/decrypt arbitrary amounts of data in practice

•  ANSI X3.106-1983 Modes of Use (now FIPS 81) defines 4 possible modes: ECB, CBC, CFB, OFB

•  subsequently 5 defined for AES & DES: CTR •  have block and stream modes


•  Plaintext blocks encrypted in an independent weay

•  Fast, parallelizable

•  Message repetitions may show in ciphertext

–  if aligned with message block –  particularly with data such graphics –  or with messages that change very little, which become a code

-book analysis problem

•  Weakness is due to the encrypted message blocks being independent: same plaintext blocks produces the same cyphertext blocks (using the same key)

•  Main use is sending a few blocks of data


ECB: manipulation of encrypted blocks Ex., electronic banking transaction, ref. with DES 1 block = 64 bits

Tim

esta

mp

Swift Code ID Bank Orig.

Swift Code ID Bank Dest

Name of entity: Ex., 6 blocks

IBAN Dest. Account Ex., 4 blocks

Ammount EUROS O

Pcod

e

Bank A

Bank B Mallory

Eavesdropping + Message Replying + Message Tampering (on specific blocks)


ECB (graphics, patterns)

What we want … Plaintext and Ciphertex with ECB


•  Cipher Block Chaining Mode (CBC) –  The input to the encryption algorithm is the XOR of the

current plaintext block and the preceding ciphertext block. –  Repeating pattern of 64-bits are not exposed

•  Use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV

•  Uses: bulk data encryption, authentication

•  Same plaintext blocks => Different cyphertext blocks, even when the same key is used (different IVs)


•  + Security: plaintext patterns concealed by XORing with previous ciphertext blocks – Input to blocks randomized by the previous cipher text block

•  + Any change to a block affects all following ciphertext blocks

•  +/- Plaintext somewhat difficult to manipulate Only 1st block and last block can be removed) Bits changed in the first block: repetition allows controlled changes

•  + More than one message can be encrypted with the same key

•  + A ciphertext block depends on all blocks before it

•  + Speed in ~the same as block cipher •  - But ciphertext is up to one block longer than the plaintext •  - No pre-processing is possible •  -/+ Encryption is not parallelizable, but decryption is

parallelizable and has a random-access property

Secu

rity

Perf

orman

ce


•  - Need Initialization Vector (IV) –  which must be known to sender & receiver

•  Requires synchronization –  if sent in clear, attacker can change bits of first block, and

change IV to compensate –  hence IV must either be a fixed value (as in EFTPOS) –  or must be sent encrypted in ECB mode before rest of

message •  A cipher text error affects one full plaintext block

and the correspondent bit in the next block •  Synchronization errors unrecoverable

Fault-

Tolera

nce


•  Cipher Feedback Mode (CFB) –  Conversion of a block ciphers as stream cipher

(byte-oriented block cipher)

•  Message is treated as a stream of bits •  Added to the output of the block cipher •  Result is feed back for next stage (hence name) •  Standard allows any number of bit (1,8, 64 or 128 etc) to be

feed back –  denoted CFB-1, CFB-8, CFB-64, CFB-128 etc

•  Most efficient to use all bits in block (64 or 128) Ci = Pi XOR DESK1(Ci-1) C-1 = IV

•  Uses: stream data encryption, authentication


•  + Appropriate when data arrives in bits/bytes, most common stream mode (without counting)

•  + Plaintext concealed, input to block cipher is randomized •  + More than one message can be encrypted with the same

key (changing the IV) •  +/- Plaintext somewhat difficult to manipulate

Only 1st block and last block can be removed) Bits changed in the first block: repetition allows controlled changes

•  + Speed is ~the same as the block cipher •  + Cipher text with the same size than plaintext (not

counting the IV) •  +/- Encryption not parallelizable, decryption parallelizable

and has a random access property •  + Some pre-processing is possible (previous cipher text can

be encrypted (before a new plaintext block) – Note that the block cipher is used in encryption mode at both

Secu

rity

Pe

rfor

man

ce


•  Limitation is need to stall while do block encryption after every n-bits

•  Errors propogate for several blocks after the error: affecting correspondent bits of plaintext and the next full block

•  Synchronization errors of full block sizes are recoverable. A 1-bit CFB can recover from the addition or loss of single bits

Fault-

tolera

nce


•  message is treated as a stream of bits •  output of cipher is added to message •  output is then feed back (hence name) •  feedback is independent of message

•  can be computed in advance Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV

•  uses: stream encryption on noisy channels


•  + Plaintext patterns concealed •  + Input to the block cipher is randomized •  + More than one message can be encrypted with the same

key (provided that a different IV is used) •  - Plaintext is very easy to manipulate; any change in cipher

text directly affects the plaintext - more vulnerable to message stream modification A variation of a Vernam cipher

–  hence must never reuse the same sequence (key+IV) •  originally specified with m-bit feedback

(but subsequent research has shown that only full block feedback ie CFB-64 or CFB-128) should ever be used for high security)

•  + Speed is ~the same as block cipher •  - Cipher text is the same size as the plaintext, not counting

the IV •  + Pre-Processing possible before the message is seen •  -/+ not parallelizable

Secu

rity

Pe

rfor

man

ce


•  + Bit errors do not propagate - Cipher text error affects only the corresponding bit of plaintext

•  - But sender & receiver must remain in sync: synchronization error not recoverable

Fault-

tolera

nce


•  A “new” mode, though proposed early on •  Similar to OFB but encrypts counter value rather than any

feedback value •  Must have a different key & counter value for every

plaintext block (never reused) Ci = Pi XOR Oi Oi = DESK1(i)

•  Uses: high-speed network encryptions


•  Same criteria as OFB Random access to encrypted data blocks Provable security (good as other modes) But must ensure never reuse key/counter values, otherwise could break

(cf OFB)

•  Efficiency + ~The same Better than OFB

Parallelizable: can do parallel encryptions in h/w or s/w can pre-process in advance of need good for bursty high speed links

Secu

rity

Pe

rfor

man

ce

Perf

orman

ce

as OFB


•  CBC (entire blocks), CFB (mainly with m-bit blocks, more secure => larger m)

•  ECB, OFB and Counter: plaintext easy to manipulate

•  ECB, CTR (parallelizable) •  CFB (only partial parallelization in the decryption) •  CBC same but no pre-processing •  OFB no parallelization, no pre-processing

•  CFB - synchronization errors of full block sizes are recoverable, … but cipher text error affect the correspondent bit of plaintext + the next full block), OFB, CTR (ciphertext errors only affect the correspondent bit in plaintext)

•  ECB, CBC, OFB, CTR - Sync. Errors unrecoverable,

Secu

rity

Pe

rfor

man

ce

Fault-

Tolera

nce


OCB Mode (generic encryption mode)


OCB Mode (Authentication computation)


Other usual modes (Wireless communication settings) •  Mix counter modes, efficient block-chaining, merging in

general encryption with authentication proofs, with the same goals as OCB –  Examples:

•  IAPM •  XCBC •  CCM •  EAX •  GCM •  CWC •  PCFB •  CS


Comparative analysis •  See, ex: Svenda, IPICS 2004, Basic comparison of Modes for

Authenticated-Encryption (IAPM, XCBC, OCB, CCM, EAX, CWC, GCM, PCFB, CS)


•  Interleaving technique –  Ex., CBC Interleaving

•  Multiplex/Demultiplex with Interleaving –  Single message –  Multiple messages


Outline



Message Padding

•  At end of message must handle a possible last short block –  which is not as large as blocksize of cipher –  pad either with known non-data value (eg nulls) –  or pad last block along with count of pad size

•  eg. [ b1 b2 b3 0 0 0 0 5] •  means have 3 data bytes, then 5 bytes pad+count

–  this may require an extra entire block over those in message

•  Padding standardization: PKCS#5, PKCS#7, OAEP, etc –  See practical classes / labs - examples

•  There are other, more esoteric modes, which avoid the need for an extra block


Outline



Security principles •  Correct use of symmetric cryptography

–  Need for secure key-distribution and management

–  Choose between block and stream ciphers, according with the application needs and security concerns

–  Key-sharing is an issue for applications with a large number of principals

•  One only key for all the principals is not a good idea •  Possible approach: pair-wise shared keys •  Problem: for N principals you need to establish

N x (N-1)/2 keys in the environment 1 for 2, 3 for 3, 6 for 4, 10 for 5, ….

45 for 10, … 4500 for 100, …


Security principles

–  Minimize the exposition of keys •  Minimal exposition in memory during runtime

processes (discard as far as you don’t need)

•  Paranoid: delete/rewrite memory in explicit way with random bits…


•  Link encryption: –  A lot of encryption devices (smart cards, TPMs) –  High level of security –  Decrypt each packet at every switch

•  End-to-end encryption –  The source encrypt and the receiver decrypts –  Payload encrypted –  Header in the clear –  But you can encrypt headers with tunneling techniques

(how ?)

•  High Security: –  Both link and end-to-end encryption are needed –  Virtualization

•  VMs and Isolation (Hypervisor solutions) •  CPU Virtualization + I/O Virtualization •  Network perimiter defenses


Managing keys securely

•  Different keys (or different passwords, different key seeds, etc...) for different security domains

–  Managed with a MASTER KEY protecting a “Trust Repository” (Software vs. Hardware local strong encryption)

–  http://hackaday.com/2010/09/27/gpu-processing-and-password-cracking/

•  Keys and Cryptographic functions “inside” trust computing modules (smartcards, HW tamper proof modules or TPMs)


Outline



Establishment of symmetric keys •  Scale problem and key-management issues

–  How many shared keys are managed by each principal ? •  Possibility: 1 only key, shared with everybody (not

good idea) •  One key shared by a pair of principals (pairwise

keys): –  Combinations N, 2-2: N x (N-1)/2 chaves –  10 principals: 45 keys, 11 pricipals: 55 keys, ...

•  How to retrieve a loss key ? •  How to dismiss (revoke) compromised keys

–  End-to-End vs. Link-to-link level

•  PFS and PBS problem –  Perfect future secrecy and Perfect Backword Secrecy –  Key-independence for “Perfect” –  Fast methods for ReKeying –  Key-contribution and fairness requirements


You need secure key-distribution protocols to use cryptography

Possible solutions 1.  A key could be selected by A and physically delivered to B,

involving a key-agreement between A and B

2.  A third party could select the key and physically deliver it to A and B

3.  If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key.

4.  If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.


•  Session keys: –  Data encrypted with a one-time session key –  Or one-time pad (rekeying) for each message in a session –  At the conclusion of the session, or message-by-message

the key is destroyed (ephemeral keys)

•  Permanent keys: –  Used between entities for the purpose of distributing

session keys •  Used as long-time shared keys for the renegotiation of new session

keys (rekeying process) •  Example: shared symmetric keys between the principals and KDCs •  Example: public-keys registered in PKCs – for possible direct

negotiation of shared symmetric keys by the principals themselves

–  Keep in mind: it is a long-time duration secret – critical to be managed and keep in security


Different key-distribution protocols •  Protocols with symmetric cryptography

–  For entity authentication (no key-distribution) –  Server-less key establishment –  Server based key establishment (or KDC based) –  Multiple-server based key establishment

•  Protocols with asymmetric cryptography –  Entity-authentication based (no key-distribution) –  Server based (or PKC based) protocols

•  Key-Agreement protocols –  Diffie-Hellman based –  Elliptic-Curve D-H (ECDH Scheme) –  Identity-Based –  Conference or Group-oriented based

•  Hybrid protocols


Different key-distribution protocols KDC based protocols (…):

•  Needham Schroeder and variants •  Otway-Rees •  Neuman-Stubblebine •  Miller-Neuman (kerberos) •  Yahalom •  Wide Mouth Frog •  Janson-Tsudik •  Bellare-Rogaway •  Who-Lam •  Gong •  Boyd

•  PKC based protocols (…) •  Needham-Schroeder with public-key crypto and variants •  … Many others •  PKI based key-distribution, X509 Authentication services •  TLS Scheme •  Beller-Chang-Yacobi •  TMN •  AKA


•  William Stallings, Network Security Essentials, Chap.2 (summarized vision)

•  William Stallings, W. Cryptography and Network Security: Principles and Practice, 2nd edition. Pearson - Prentice Hall, 4th edition, 2006, chap 2, chap 3, chap.5 and chap. 6

•  Schneier, B. Applied Cryptography, New York: Wiley, 1996

Complementary (for Authentication and Key-Establishment): Colin Boyd and A. Mathuria, , Protocols for Authentication and Key-Establishment, Springer, 2003

Base-protocols (ex, Needham-Schroeder), Distributed Systems bibliography See also http://en.wikipedia.org/wiki/Needham–Schroeder_protocol

cryptography foundations symmetric cryptographyorium.pw/univ/mei/ssrc/symmetricencryption.pdf© 2011...

Documents