CS363Week 3 - Friday

Last time

What did we talk about last time? Modular arithmetic Shift ciphers Transposition ciphers Substitution ciphers Vigenère ciphers One-time pad

Questions?

Project 1

Matthew Sternbergh Presents

One-Time Pad

One-Time Pad

A One-Time Pad is similar to the Vigenère cipher, except that the key is as long as the message

What will this do to the index of coincidence?

Any given ciphertext could be decrypted into any plaintext, provided that you have the right key

One-Time Pad example

Key: THISISTHESECRETPASSWORD Plaintext: SOMEBODY SHOUTED

MCINTYRE

Now, use the key IFYOUDISSDRDRE to encrypt MELODY AND RHYME

S O ME B O D Y S H O U T E D MC I N T Y R E

T H I S I S T H E S E C R E T P A S S WO R DL V U WJ G WF WZ S WK I W B C A F P MI H

One-Time Pad example continued Plaintext: SOMEBODY SHOUTED

MCINTYRE

Find a key (never done that before, have we?) that will encrypt the plaintext to YOUCOULDFINDTHEABSTRACT

Perfect secrecy

A One-Time Pad has the property of perfect secrecy or Shannon secrecy

Perfect secrecy means that P(M) = P(M|C) Remember that it is possible to find a

key that would decrypt a ciphertext to any plaintext

Thus, learning the ciphertext tells you nothing about the plaintext

One-Time Pad weaknesses You can only use it one time

Otherwise, recovering the key is trivial Completely vulnerable to known plaintext

attack The key is as long as the message If you have a way of sending a key that

long securely, why not send the message the same way?

Generating keys with appropriate levels of randomness presents a problem

Secure Encryption Algorithms

How do you define good? Claude Shannon is the guy that invented Shannon secrecy

and is considered the father of information theory He proposed 5 characteristics for a good cipher:1. The amount of secrecy needed should determine the

amount of labor appropriate for encryption and decryption2. The set of keys and the enciphering algorithm should be

free from complexity3. The implementation of the process should be as simple as

possible4. Errors in ciphering should not propagate and cause

corruption of further information in the message5. The size of the enciphered text should be no larger than

the text of the original message

A more modern view

Shannon was focused on hand encryption

Modern commercial users of cryptography want the following characteristics for their cryptosystems: Based on sound mathematics Analyzed by competent experts and

found to be sound Stood the test of time

Stream and Block Ciphers

Stream and block ciphers A common way of dividing ciphers is into

stream ciphers and block ciphers Block ciphers divide messages into fixed

length parts (or blocks) and encipher each part with the same key

Stream ciphers encipher each message character by character Some other authors define a stream cipher to

be like a block cipher except that the key changes with each block based on the message

Self-synchronous stream ciphers Self-synchronous ciphers are stream ciphers that get

the key from the message itself The simplest such cipher is an autokey cipher that

uses the message itself for the key Essentially, this is similar to the Vigenère cipher with

the key coming from the message Example:

Message: THISISTHEREMIX Key: QTHISISTHEREMI

Alternatively, the key can be drawn from the ciphertext Message: THEBOYHASTHECAT Key: XQXBCQOVVNGNRTT Ciphertext: QXBCQOVVNGNRTTM

Confusion and Diffusion Confusion is the property of a cryptosystem that

changing a single character in the plaintext should not have a predictable effect

Diffusion is the property of a cryptosystem that each character in the plaintext should impact many characters in the ciphertext

Examples: Caesar cipher has poor confusion and no diffusion One time pad has good confusion but no diffusion Auto-key ciphers may have poor confusion but good

diffusion AES and DES have good confusion and diffusion within a

block

Models of Attacks

Attacks

We measure a cryptosystem based on its resistance to an adversary or attacker

Kinds of attacks: Ciphertext only Full or partial plaintext Chosen plaintext Chosen ciphertext Ciphertext and plaintext pairs

Ciphertext only

Attacker only has access to an encrypted message, with a goal of decrypting it

This is the assumption we have made so far when cryptanalyzing the classical ciphers

The world is filled with ciphertext data

This model gives the attacker very little to work with

Full or partial plaintext Attacker has access to a plaintext and its matching

ciphertext, with a goal of discovering the key It is possible that the full or partial plaintext is

available because it is an encrypted broadcast of public (or soon to be public) information Perhaps a secret transmission informed everyone of a

new policy Then, the policy is made public

Some messages are very common “Nothing to report.” If these messages are predictable, the ciphertext could

be intercepted and the plaintext guessed

Chosen plaintext Attacker may ask to encrypt any plaintext, with

a goal of discovering the key This model seems unusual, but it comes up in

practice Military forces seize a transmission room and start

transmitting messages Perhaps they don’t have enough knowledge to learn

the encryption settings, but the known messages could be analyzed later

All public key cryptosystems allow this kind of attack, since anyone can generate encrypted messages

Chosen ciphertext

It is unusual that an attacker can pick a ciphertext and ask for it to be decrypted Why not just ask for any particular

ciphertext that you’re interested in? If you have access to code that can

encrypt huge amounts of plaintext quickly, it is possible to attempt a brute force encryption that will approximate choosing the ciphertext

Ciphertext and plaintext pairs As an extension of known plaintext,

it may be the case that you have many ciphertext/plaintext pairs that are encrypted with the same key

Human error

Humans allow some of the scenarios described above through error Operators transmit the same message

with two different keys Operators transmit some information in

the clear Operators transmit a repeat of a

message but make small mistakes the second time

As usual, humans are a problem

DES

Block ciphers A block cipher is a symmetric key cipher that

works on a block of data of a given size For compatibility with hardware, block sizes are

often powers of two: 64 bits, 128 bits, 256 bits, etc.

Block ciphers are a fundamental part of many modern cryptosystems

To encrypt a message longer than a single block: First break the message into blocks Then, each block could be encrypted individually Or data from the first block can be used in the

encryption of the second, and so on

DES

Data Encryption Standard DES is a typical block cipher It was chosen as the government's

standard for encryption in 1976 (but has since been deprecated)

DES works on blocks 64 bits in size DES uses a 56 bit key NSA helped design it… amidst some

controversy

History In the 1970’s, the National Bureau of Standards (NBS) saw the

need for a publicly available encryption standard They called for proposals that met the following criteria:

High level of security Easy to understand Publishable (no security through obscurity) Available to everyone Adaptable for many applications Economical to implement in hardware Efficient to use Able to be validated Exportable

A cryptosystem called Lucifer developed by IBM was adapted into the resulting DES

NBS was reorganized into the National Institute of Standards and Technology in 1988

Exportability After WWII (the birth of modern cryptography), many

governments saw the immense value of crypto Countries like the US with good crypto didn’t want their enemies to have

it Strong encryption was listed as an Auxiliary Weapons Technology

on the US Munitions List 40 bit or weaker encryption could be exported 240 possibilities can be brute forced in days (or hours)

In 1996, Bill Clinton signed an executive order that moved commercial encryption from the Munitions List to the Commerce Control List

It is still technically possible to be arrested for exporting software that can perform strong encryption and decryption But it is no longer illegal arms trafficking

Although DES is longer than 40 bits, its 56 bits seem to be in the range that never really posed a problem for the feds

DES internals DES has 16 rounds

The book calls them cycles In each round, the input is broken into 2 halves,

manipulated, and combined with part of the keyInput

Permutation

Left0 Right0f

Key1Left1 Right1+

Left0 Right0

S-boxes

DES uses bitwise operations as well as lookup tables

DES has 8 substitution boxes (S-boxes) which take 6 bits of data and give back 4

The function from the F circle

The expansion permutation takes 32 input bits and expands them into 48 bits while permuting them 16 bits are repeated

These 48 bits are XORed with the round key

The resulting 48 bits are substituted through S-boxes which produces a 32 bit result

The final 32 bits are permuted

Expansion

Permutation

XOR with Key

S-box

P-box

Key schedule The encryption key is 64 bits, but only 56

bits are used The other 8 bits are for parity

Each of the 16 rounds has a 48 bit round key To produce the round key, the left and right

halves of the 56 bit key are independently shifted by either 1 or 2 bits, depending on the round

48 bits are chosen and permuted by a key transformation box

There is an initial permutation before the rounds

There is a final permutation after the rounds

Otherwise, each round feeds into the next one

Final DES encryption

Decryption The same algorithm is used for encryption and

decryption Input for round j is derived from round j – 1

To work backwards, we can solve for round j - 1

And by substitution:

We simply supply the round keys in backward order

NSA controversy The NSA tinkered with DES

They shortened the key length from the original 128 bits of Lucifer to 56

They changed the S-boxes People were concerned that the NSA had introduced a

trapdoor so that they could read messages Eventually, the NSA released information about the

choice of S-boxes: No S-box is a linear or affine function of its input Changing 1 bit of the S-box input changes at least 2 bits of

its output If a single bit is held constant, changing the others should

not radically change the total number of 1s or 0s in the output

NSA exonerated

In 1990, researchers independently discovered differential cryptanalysis It uses related plaintext-ciphertext pairs to

trace small changes in input to the output The changes the NSA made to the S-

boxes made them significantly more resistant to differential cryptanalysis

Declassified explanations show that people at IBM and the NSA knew about differential cryptanalysis in the 1970s

Key oddities DES has four weak keys that are their own inverse

Encryption = decryption for these keys They are all 1s, all 0s, or half and half

DES has six pairs of semiweak keys Encryption with one key is the same as decryption with

the other in the pair Complements:

If c = DES(p, k) then c = DES(p, k) These problems are easily avoidable

Don’t use weak or semiweak keys People are usually not encrypting the negation of a

plaintext with the negation of a key

DES strengths

DES is fast Easy to implement in software or

hardware Encryption is the same as decryption Triple DES is still standard for many

financial applications Resistant to differential and linear

cryptanalysis (247 and 243 known pairs required, respectively)

DES weaknesses

Short key size Brute force attack by EFF in 1998 in 56

hours then in 1999 in just over 22 hours Brute force attack by University of Bochum

and Kiel in 9 days in 2006 (but, using a machine costing only $10,000)

If you could check 1,000,000,000 keys per second (which is unlikely with a commodity PC), it would take an average of 417 days to recover a key

Double and Triple DES

Improving DES

The short key size leaves DES vulnerable to brute force attacks

How can we make up for this weakness?

Possibilities: Encrypt twice with DES Encrypt three times with DES …

Double DES "DES is wrong if you listen to NIST, Double DES

ain't no better, man, that got dissed"--MC Plus+

Double DES encrypts a plaintext with DES twice, using two different keys

Double DES is susceptible to a meet-in-the-middle attack

This attack uses a space-time tradeoff Although two keys should mean 56 + 56 = 112

bits of security or 2112 time for a brute force attack, the meet-in-the-middle attack can run in roughly 257 or 258 time, using 256 space

Double DES attack

K1 492989976

K2 688857766

K3 282627672

K4 499659602

K5 532263602

K6 498278096

K7 752271744

K8 846172716

864059530 K1

717075649 K2

993328605 K3

991061777 K4

154785500 K5

210537840 K6

688857766 K7

528110960 K8

Encrypt P1 Decrypt C1 Two pairs of plaintexts and ciphertexts are needed

Encrypt P1 with all possible keys and save them

Decrypt C1 with all possible keys If the result matches

anything in the list, use the key to encrypt P2

If that matches C2, you win!

On the left, I show all the decryptions, but only the encryptions need to be stored

Triple DES Although susceptible to a brute force attack, DES has

no other major weaknesses Double DES can be defeated by an extension of the brute

force attack What about triple DES?

Let EK(X) and DK(X) be encryption and decryption using DES with key K

Triple DES uses keys K1, K2, and K3 C = EK1(DK2(EK3(M))) Setting K1 = K2 = K3 allows for compatibility with single

DES systems Triple DES is still a standard for financial transactions

with no known practical attacks

Quiz

Upcoming

Next time…

Finish DES AES Nick Viscardi presents

Reminders

Keep reading Sections 2.3 and 12.2 Work on Project 1

Due next Friday Finish Assignment 1

Due tonight by midnight! There's also a field trip to Cargas

Systems in Lancaster today Leaves Esbenshade at 3:30pm