symmetric encryption - kth · symmetric encryption •alsoknownas: – shared key encryption ......
TRANSCRIPT
2
Acknowledgements• Many people have contributed to the course material• Former teachers
– Alberto Escudero Pascal, Johan Montelius, Jan-Olov Vatn, BjörnKnutsson
• We are particularly thankful to Prof. Vitaly Shmatikov, The Univ of Texas at Austin, for letting us use his material
3
Outline• Symmetric encryption
– Basics
• Modes of operation– How to deal with larger pieces of data
4
Symmetric Encryption
• Also known as:– Shared key encryption– Secret key encryption
• Same key for encryption and decryption• Sender and receiver need to agree on a key
---------------
Plaintextinput
Encryption Decryption---------------
Plaintextoutput
Ciphertext
Shared, secret key
5
One-Time Pad
= 10111101…---------------
= 00110010…10001111…⊕
00110010… =⊕
10111101…
Key is a random bit sequenceas long as the plaintext
Encrypt by bitwise XOR ofplaintext and key:ciphertext = plaintext ⊕ key
Decrypt by bitwise XOR ofciphertext and key:ciphertext ⊕ key = (plaintext ⊕ key) ⊕ key =plaintext ⊕ (key ⊕ key) =plaintext
Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, andevery key is equally likely (Claude Shannon)
6
Advantages of One-Time Pad
• Easy to compute– Encryption and decryption are the same operation– Bitwise XOR is very cheap to compute
• As secure as theoretically possible– Given a ciphertext, all plaintexts are equally likely, regardless
of attacker’s computational resources– “Cipher achieves perfect secrecy if and only if there are as
many possible keys as possible plaintexts, and every key is equally likely” (Claude Shannon)
– …as long as the key sequence is truly random• True randomness is expensive to obtain in large quantities
– …as long as each key is same length as plaintext• But how does the sender communicate the key to receiver?
7
Problems with One-Time Pad
• Key must be as long as plaintext– Impractical in most realistic scenarios– Still used for diplomatic and intelligence traffic
• Does not guarantee integrity– One-time pad only guarantees confidentiality– Attacker cannot recover plaintext, but can easily change it to
something else
• Insecure if keys are reused– Attacker can obtain XOR of plaintexts
8
RC4• Stream cipher• Ron Rivest• Generates a pseudo-random bitstream as a one-time pad• Used in SSL and WEP (IEEE 802.11)• First few bytes are non-random
– Used to break WEP (Replaced by WPA)
10111101…
00110010…10001111…⊕
00110010…⊕
10111101…
Pad generator
key
Pad generator
---------------Plaintext
input---------------
Plaintextoutput
9
Block Encryption
• Map a block of plaintext input to a block of ciphertext– Mapping is defined by key
• Input and output blocks have same size– Too short makes it possible to store all possible mappings– Too long is impractical and slow
• Result should look like a random permutation– “As if” plaintext bits were randomly shuffled
A B C D E
C A E D Bciphertext
plaintext
56-bit key
10
DES (Data Encryption Standard)
• Invented by IBM, issued in the U.S. as federal standard 1977• 64-bit blocks, 56-bit key
64-bit ciphertext
64-bit plaintext
Block cipher 56-bit key
11
Feistel
• A Feistel “round” consists of XOR of left and right half– Right half through substitution function “Mangler”
• Swap the result• Horst Feistel, IBM, 1973
Input left Input right
Output left Output right
Mangler+Key
12
“Confusion and Diffusion”• Concept by Claude Shannon• Properties of cipher• Confusion
– Complex relationship between key and ciphertext
• Diffusion– Dependency between output and input– Ideally, flipping one input bit should flip each output bit with
probability of one half
• Two main operations– Substitution – replace one symbol by another– Permutation – swap the bits around
13
Input
S S S S
Mangler Function• Also known as Feistel function,
round function, …• S-boxes perform substitution
– Replace one 4-bit symbol by another
• Through a lookup table– Different for each S-box
– Confusion
• Output is permuted– Diffusion
Output
Key
14
Feistel Ladder
Subkey 1+
Input block
Subkey n+
Output block
Subkey i+
Key
Larger block gives greater
security
Larger key gives greater security.
Multiple rounds gives greater security. DES
uses 16.
More complex subkeygeneration algorithm
gives greater security
More complex mangler function
gives greater security
• Trade-off between security and complexity (speed)• DES is reversible, so decryption is by running DES backwards!
15
DES Challenges
• DES Challenge III– January 1999
• Cracked in 22 hours 15 minutes– Electronic Frontier Foundation´s “Deep Crack”– Network of volunteers (distributed.net)
Plaintext: See you in Rome (second AES Conference, March 22-23, 1999) Ciphertext: bd 0d de 91 99 60 b8 8a 47 9c b1 5c 23 7b 81 18 99 0545 bc de 82 01 ab 53 4d 6f 1c b4 30 63 3c ee cd 96 2e07 c6 e6 95 99 9c 96 46 5a 95 70 02 02 70 98 bd 41 c288 a9 f0 2f 8b e5 48 20 d2 a8 a0 6b bf 93 de 89 f6 e252 fd 8a 25 eb d0 7d 96 83 ee a4 2d c8 8d 1b 71
16
3DES Encrypt
Triple DES
• Three DES blocks in cascade• Three or two keys (K1 = L3), 168 or 112 bits• Compatibility with DES (with K1, K2, K3 equal)
Encrypt DES
Decrypt DES
Encrypt DES
K1
K2
K3
3DES Decrypt
Decrypt DES
Encrypt DES
Decrypt DES
K1
K2
K3
17
DES Successors• Advanced Encryption Standard (AES)
– “Rijndael” after the inventors– Block size 128 bits, key length 128, 192 and 256 bits– Stated by the U.S. National Security Agency (NSA) that it may be
used for classified information• 192 or 256-bit keys for “TOP SECRET”
• International Data Encryption Algorithm (IDEA)– 64-bit blocks, 128-bit keys– IPR issues (patents)
• Blowfish– Bruce Schneier– 64-bit blocks, keys from 32 to 448 bits– Compact and efficient implementation
• …
18
Encrypting a Large Message
• So, we’ve got a good block cipher, but our plaintext is larger than 128-bit block size
• Electronic Code Book (ECB) mode– Split plaintext into blocks, encrypt each one separately using
the block cipher
• Cipher Block Chaining (CBC) mode– Split plaintext into blocks, XOR each block with the result of
encrypting previous blocks
• Also various counter modes, feedback modes, etc.
19
ECB Mode
• Identical blocks of plaintext produce identical blocks of ciphertext
• No integrity checks: can mix and match blocks
plaintext
ciphertext
blockcipher
blockcipher
blockcipher
blockcipher
blockcipher
20
CBC Mode: Encryption
• Identical blocks of plaintext encrypted differently• Last cipherblock depends on entire plaintext
– Still does not guarantee integrity
plaintext
ciphertext
blockcipher
blockcipher
blockcipher
blockcipher
⊕Initializationvector(random) ⊕ ⊕ ⊕
Sent with ciphertext(preferably encrypted)
21
CBC Mode: Decryption
plaintext
ciphertext
decrypt decrypt decrypt decrypt
⊕Initializationvector ⊕ ⊕ ⊕
22
ECB vs. CBC
AES in ECB mode AES in CBC mode
Similar plaintextblocks producesimilar ciphertextblocks
[Picture due to Bart Preneel]
23
Information Leakage in ECB Mode[Wikipedia]
Encrypt in ECB mode