information security - whisperlab.org · information security ... symmetric key encryption ideal...
TRANSCRIPT
Information Security SE 4472 / ECE 9064
Week 4:Symmetric Key Encryption
Ideal Block Ciphers, Feistel Networks
Fall 2015Prof. Aleksander Essex
Block Ciphers
• As we saw, classical ciphers like Caesar, and Enigma encrypted individual letters
• It’s the computer age so let’s operate on strings of bits• Instead of encrypting an arbitrary length message all at
once, we’re going to break the message in to blocks• Blocks are fixed-length, and we encrypt each block
separately
Block Ciphers
• A block cipher is a triple of functions
• For a security parameter k, and block length b:
Block Ciphers
Gen : k ! {0, 1}k
Enc : {0, 1}b ⇥ {0, 1}k ! {0, 1}b
Dec : {0, 1}b ⇥ {0, 1}k ! {0, 1}b
< Gen,Enc,Dec >
The Ideal Block Cipher
Ideal Block Ciphers What properties should an ideal block cipher have?1. Encryption should be reversible
• Decryption should always return the original message• Encryption should be a bijection (one-to-one mapping)• A set of strings map one-to-one to itself (permutation)
2. Encryption/decryption should be easy with the key, hard otherwise• What if the key defines a random permutation drawn from the set of
possible permutations
3. Computing the mapping (i.e., encrypting/decrypting) should be efficient to compute
Ideal Block Ciphers
A block cipher maps b-bit strings to b-bit strings in a one-to-one fashion
The mapping is “random-looking”, and is defined by the key
Using a different key gives you a different random-looking mapping
{0, 1}b {0, 1}b
k1
Ideal Block Ciphers
Decryption is the inverse of Encryption
{0, 1}b {0, 1}b
k1
{0, 1}b {0, 1}b
k1
Enc Dec
Ideal Block Ciphers
• There are b! possible permutations• There are 2k possible keys• Key defines, or “chooses” the permutation
{0, 1}b {0, 1}b
k1
{0, 1}b {0, 1}b
k2Not a permutation
(we don’t want this—and why not?)
{0, 1}b {0, 1}b
A Codebook Imagine a secret codebook that maps
a word to another word
For example, in one codebook, Zebra maps to Engine.
In another codebook, maybe Zebra encrypts to Salad.
k1
Aardvark
Zebra
…
……
Engine
Nephew …
An Electronic Codebook
Essentially a block cipher is like a giant, secret,
electronic codebook
k1
Aardvark
Zebra
…
……
Engine
Nephew
…
Ideal Block Ciphers Basically what we want is something called a pseudo-random permutation (PRP)
• The key defines the permutation• The permutation is random-looking• It’s efficient to compute
• How can we build a PRP?• Could we explicitly write out the secret codebook?
o Not efficient to compute: contains 2b entries• Maybe we could create an one-to-one function
o Needs to be efficient, yet random looking
The Feistel Network
Pseudo-random functions
Pseudo-random function (PRF)
{0, 1}b {0, 1}b
k1
{0, 1}b {0, 1}b
k2
Unlike a PRP, a pseudo-random function (PRF) does not require a one-to-one mapping between the input space and output space
Because a PRF has less restrictions than a PRP, it might be a good starting place toward creating a PRP
The Feistel Network
• A method of turning a strong PRF into a strong PRP in 4 easy steps!• Proof due to Luby/Rackoff
• Originally proposed by Horst Feistel as part of the Data Encryption Standard (DES) in the 70s• The first modern cipher• Uses a 64-bit block, and a 56-bit key
The Feistel Network (Encryption) a b
PRF
a’ a’
k
… …
A single Feistel round
At least 4 sequential rounds needed if PRF is super strong.
DES uses 16 rounds.
The Feistel Network
• Simple “twisted ladder” structure• Encryption accomplished by iterating several rounds
• How many rounds is enough?
• 4 rounds enough to convert a strong PRF into strong PRP• Wait: if the PRF doesn’t necessarily have an inverse and a PRP does,
how can “undo” the Fiestel network to get back to the message? • Wouldn’t you need to be able to invert the PRF?• Actually no, due cleverness of the design• Check it out…
The Feistel Network
• A number of well known block ciphers use Feistel networks:• Blowfish• Camellia• CAST-128 (Canadian designed. CSE standard.)• Triple-DES, i.e., DES run 3 times in a row with different keys (typically
encryption/decryption/encryption) to allow longer key lengths.• https://en.wikipedia.org/wiki/Feistel_cipher
The Feistel Network (Decryption) a b
PRF
a’ a’
k
… …
Exercise. Convince yourself running the network backwards like this really does recover the message
Notice PRF still runs “forwards”
Decryption works by running network
backwards
The Feistel Network
• DES is insecure today, do not use it• Not fault with Feistel network• Weak key length (56-bits)• Issues in the PRF
• Other popular ciphers like AES use other constructions
• Point is: we can efficiently compute a our “electronic code book” even if it has exponentially many entries!
• Ok, we have the foundations to create a block cipher• We can take b bits of message and encrypt them to b
bits of ciphertext• b=128 is a common modern block length• Note: A cipher’s key length and block length aren’t necessarily the same
(e.g., DES, AES-256, etc).
• Question:• Ok so we can encrypt a b-bit message.• How do we encrypt message longer than b bits?• Maybe we could just treat each block independently?
o Hey, that sounds like a cool idea. What could possibly go wrong?
The Electronic Code Book
Motivating Question
• Question: How do you use the b-bit block cipher to encrypt and m-bit message when m>b ?
• Idea: Just break the m-bit message up into b-bit blocks, and encrypt each block separately
• A cipher mode of operation specifies how different blocks interact with each other during encryption.
Block Cipher Modes:"Electronic Code Book (ECB)
Electronic Code Book (ECB)
m0
c0
m1
c1
m2
c2
mn
cn
…
…
• Example: AES-256-ECB• AES with a 256-bit key in ECB mode
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
…FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FDFF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FEFF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
67 8E EE 31 4C FC 24 2E F7 62 9E 39 D3 08 A1 4E 51 03 35 71 62 68 87 E3 CB 16 86 BD EF C6 13 C3 3B 1D F9 59 A8 31 C6 70 AF A8 F2 4A B9 B8 27 4B
…F1 34 B9 FD 4B 01 43 33 C7 20 C2 17 29 A5 CB 11 D1 2E 8D B2 4F F4 F3 77 E8 9F 92 31 A3 38 48 B0 B0 5B 46 3E 58 2A AE FC 5A 40 58 E9 B4 5F 34 B3
PLAINTEXT CIPHERTEXT
An example electronic Codebook
• AES uses a 128-bit or 16-byte block• Each byte can be one of 256 possibilities• Therefore our codebook contains 25616 = 2128 entries• Note: we didn’t compute the entire codebook! Just the first and last few
values to show you
Electronic Codebook
• Observation. According to our codebook:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF will always encrypt to
B0 5B 46 3E 58 2A AE FC 5A 40 58 E9 B4 5F 34 B3
• Ok, so what if message has a long run of such bytes? • Would that ever happen in a real world setting?• Absolutely
Electronic Codebook • Example: Encrypting a .bmp
• 0xFFFFFF means “white”
Slide1.bmp hexdump
Electronic Codebook • Encrypt .bmp file
• AES-256-ECB using OpenSSL
Electronic Codebook • Recall
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF will always encrypt toB0 5B 46 3E 58 2A AE FC 5A 40 58 E9 B4 5F 34 B3
• Taking bmp encoding into acocunt:• A block of 4 white pixels will encrypt to a block of 4 pixels of random
colour
• Taking ECB into account:• Every block of 4 white pixels will encrypt to the same 4 random
colour pixels
Electronic Codebook • Result: a block of all-white pixels encrypts to a (random-looking)
sequence of pixel colors• Result is always the same
Electronic Codebook Behold the result:
Electronic Codebook Close-up of the pattern:
• Notice the pattern repeats• So for every sufficiently long run of white pixels, you’re going
to see this pattern.• Of course the pattern will be different with a different key
Electronic Codebook
Question: What security level would you ascribe to this?
IND-EAV? IND-CPA? IND-CCA? None of the above?
Electronic Codebook
There’s a lot of non-random data our there to encrypt.
How can we use a block cipher to encrypt a message longer than a few bytes so that the entire result looks like random noise?
Block Cipher Modes:"Cipher Block Chaining (CBC)
Cipher Block Chaining (CBC)
m0
c0
mn
cn
…
…
IV
m1
c1
m2
c2
…
Cipher Block Chaining (CBC)
• Breaks up repetition in plaintext by XORing each block with a “random-looking” value
• Initialization vector• One-time value• Sent along with ciphertext• It gets sent unencrypted (and that doesn’t harm privacy)• Used to recover message• Needs to be unpredictable (more to come)
Cipher Block Chaining (CBC)Decryption
m0
c0
mn
cn
…
…
IV
m1
c1
m2
c2
…
Cipher Block Chaining (CBC)
The idea: it would be great if we could make each block of the message look different—event if it wasn’t.
Hmm… the ciphertext is random-looking. What if we combined the ciphertext of the previous block with the plaintext of the current block?
That would break up any repetition in the message
Cipher Block Chaining (CBC)
ECB mode CBC mode
Et voilà:
Block Cipher Modes:"Counter (CTR)
Counter Mode (CTR)
IV
c0
…
…
m0
IV+1
c1
m1
IV+n
cn
mn
Counter Mode (CTR) • Advantages
• Security proof• Simpler implementation:
o CTR mode is the same for encryption as decryptiono Only uses the encryption function of a block cipher
• Parallelizable/Threadableo Unlike CBC, CTR can be computed in parallel
• Pre-processingo Pad can be computed offline
• Random access
• Disadvantages• Can’t be safely used with small block length ciphers (e.g. 3DES)
Other modes
• Cipher feedback mode (CFB) and Output Feedback Mode (OFB)• Similar to CBC, but does not need decryption function
• XTS• Specialized for random access applications like full-disk encryption
• Offset Codebook (OCB) and Galois/Counter (GCM)• Modes for authenticated encryption (more in a future lecture)
Security of Cipher Modes
Discussion
• What are the security levels for each mode for messages larger than b bits?
• ECB mode• Not IND-EAV (see previous example encrypting all white pixels)
• CBC, CTR modes• OTS, yes, what about IND-CPA?• Suppose the attacker could predict the IV?• Exercise: show that this is IND-EAV but not IND-CPA secure
The Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)
• NIST AES competition to design new block cipher• “Rijndael” cipher adopted as AES in 2001• Supports 128-, 192-, and 256-bit keys• Uses a 128-bit block
• For all key lengths
• Not a Feistel network• Uses ‘math-y’ operations (Galois field operations) to implement a PRP
• In 2014, AES accounts for 48% of connections made by Chrome (RC4 stream cipher accounts for about 52%)• See https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html
• By 2015, AES accounts for almost 100% (in up-to-date browsers)
• https://telemetry.mozilla.org/advanced/#filter=release%2F40%2FSSL_SYMMETRIC_CIPHER_FULL
AES Encryption
• Consists of several rounds • 10 rounds in the 128-bit variant• 14 rounds in the 256-bit variant
• Unlike a Feistel network, the round function is a PRP
• Similar to Feistel, a “key schedule” is used to make each round effectively different
message
round
key
keysch.
round keysch.
round key sch.
ciphertext
… …
AES Decryption
• Inverse of round function is employed• possible since round is a PRP
• Flow of rounds is reversed for decryption
• Key schedule function and flow stay the same
message
inv.round
key
keysch.
inv.round
keysch.
inv.round
key sch.
ciphertext
… …
Advanced Encryption Standard (AES)
• The AES designers implemented a PRP in the round function by using Galois Field arithmetic
• Similar to integer addition/multiplication modulo a prime number but works on binary bits
• PRP details:• Multiplication and addition can be reversed, i.e., -x and x-1 are well
defined• Bits map to bits
Advanced Encryption Standard (AES)
• Specific field used: GF(28) i.e., bytes• Works well even on constrained devices
• Why Galois fields?• “Addition” is just a bit-wise XOR• “Multiplication” a little more complicated, but still simple bit operations• GF operations are fast in hardware & software and easy to explain/
justifyo Side note: people were worried about backdoors in the 90s. We’re back
to the future in the 2010s—courtesy of the NSA
Galois Field Arithmetic
• Now a very basic treatment• Only covers the “how” (i.e., how operations are performed)• See Sec. 4 of the AES specific for more info:
o (http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf)
• Elements of GF(2m) can be represented as {0,1}m i.e., the set of m-bit binary strings
• Addition is xor• Multiplication is similar to “regular” (integer)
multiplication, but uses carry-less addition
Galois Field Arithmetic
An addition example (from AES spec)
• Polynomial notation• (x6 + x4 + x2 + x +1) + (x7 + x +1) = x7 + x6 + x4 + x2
• Binary notation• {01010111} xor {10000011} = {11010100}
• Hex notation• {57} xor {83} = {d4} (hexadecimal notation)
• Multiplication example (binary representation)
Galois Field Arithmetic
01010111 10000011
01010111 01010111 01010111 01010111 01010111 01010111 01010111 01010111+
xBinary arithmetic algorithm (var A, var B)// returns A*B
result = 0for each bit ai in A:
if ai = 1:result += (B << i)
return result
• For integers, the “+” means integer addition. Large values carry forward, so e.g., 1+1=10
• For GF(2m) elements, “+” means xor. So 1+1=0• Just left shift and xor
• Result in GF(28) is:
• But there are only 28 elements in GF(28) represented by all 8-bit binary strings. Our result is 14 bits.
• Need to do modular reduction aka find remainder after long division
• What does that mean in GF(28)?• Irreducible polynomial• 100011011 in AES
• Multiplication example (binary representation)
Galois Field Arithmetic
01010111 10000011
01010111 01010111 01010111 01010111 01010111 01010111 01010111 01010111
010101101111001
+
x 10101101111001
• Multiplication example (modulo reduction)
Galois Field Arithmetic
100011011 10101101111001 100011011 00100000011001 100011011 000011000001
+
+
Irreducible polynomial:• Align with msb of result• xor causes msb to cancel out• repeat until result is m bits or less• Sequence of bit operations (bit test, bit shift, xor)
Result: 01010111 x 10000011= 11000001
Why GF operations? • ‘F’ stands for field, meaning that arithmetic operations
(addition, multiplication) of a variable with a constant value implements a permutation by definition
• Operations are primitive binary operations:• Sequence of bit tests, bit shifts, and xors• Versatile implementation options:
o Look up tables, hardware circuits, etc
• No obvious way to hide a backdoor• Simple operations suggest a simple algebraic structure.
• Trade-off between speed, security and transparency
The AES round function
b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
Input (16 bytes)
c0 c4 c8 c12
c1 c5 c9 c13
c2 c6 c10 c14
c3 c7 c11 c15
SubBytes
ci = b�1i + 0x63
where:
c0 c4 c8 c12
c5 c9 c13 c1
c10 c14 c2 c6
c15 c3 c7 c11
ShiftRows
e0 e4 e8 e12
e1 e5 e9 e13
e2 e6 e10 e14
e3 e7 e11 e15
AddRoundKey
where:ei = di + ki
to nextround
d0 d4 d8 d12
d1 d5 d9 d13
d2 d6 d10 d14
d3 d7 d11 d15
MixColumns
where:0
BB@
02 03 01 0101 02 03 0101 03 02 0303 01 01 02
1
CCA
0
BB@
c0c5c10c15
1
CCA =
0
BB@
d0d1d2d3
1
CCA
Finite-field transform on bytes
Bytes get permuted
Finite-field matrix multiplication on columns
Round bytes get xored with round key bytes
AES Take Away Points
• For the purposes of this course it is less important that you understand the exact bits and bytes operations going on inside AES
• For our purposes, we’ll treat AES mostly like a black box: you need to know inputs, outputs, and the required properties of a secure block cipher.
• It is more important that you understand how to use a block cipher in secure mode of operation.
AES: The movie
• If you’re interested in more detail on how AES works, check out this great animation:• http://www.formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng.swf
• If you want to understand more about its design and why it is the way it is, check out the FIPS specification:• http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf