lecture 02 symmetric cryptography asst.prof. supakorn kungpisdan, ph.d. supakorn@mut.ac.th...

Lecture 02 Symmetric Cryptography

Asst.Prof. Supakorn Kungpisdan, Ph.D.supakorn@mut.ac.th

NETE0519-ISEC0513 1

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Cipher DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

2

NETE0519-ISEC0513

Basic Terminology plaintext - original message ciphertext - coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - study of principles/ methods of

deciphering ciphertext without knowing key cryptology - field of both cryptography and cryptanalysis

3

NETE0519-ISEC0513

How a Cryptosystem Works

Plaintext (M) (data file or messages)

encryption algorithm (E) + secret key A (KA)

Ciphertext (C) (stored or transmitted safely)

decryption algorithm (D) + secret key B (KB)

Plaintext (M) (original data or messages)

Note: Key A may be the same as Key B, depending on the algorithm

EKa(M) = CDKb(C) = MDKb(EKa(M)) = M

4

NETE0519-ISEC0513

Brute Force Search always possible to simply try every key most basic attack, proportional to key size assume either know / recognise plaintext

Key Size (bits) Number of Alternative Keys

Time required at 1 decryption/µs

Time required at 106 decryptions/µs

32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years

168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years

26 characters (permutation)

26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years

5

NETE0519-ISEC0513

Types of Cryptography

Symmetric Cryptography Deploy the same secret key to encrypt and decrypt messages The secret key is shared between two parties Encryption algorithm is the same as decryption algorithm

Asymmetric (Public-key) Cryptography Private key, Public key The secret key is not shared and two parties can still

communicate using their public keys Encryption alg. is different from decryption alg.

6

NETE0519-ISEC0513

Symmetric Cryptography

7

NETE0519-ISEC0513

Public-Key Cryptography

8

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

9

NETE0519-ISEC0513

Model of Symmetric Cryptosystem

10

NETE0519-ISEC0513

What is Symmetric Encryption used for?

Transmitting data over an insecure channel Secure stored data (encrypt & store) Provide integrity check

11

NETE0519-ISEC0513

Properties of Symmetric Cryptography

Message Confidentiality Message Authentication Message Integrity

12

NETE0519-ISEC0513

Depending on what a cryptanalyst has to work with, attacks can be classified into Ciphertext only attack Known plaintext attack Chosen plaintext attack Chosen ciphertext attack (most severe)

Cryptanalysis

13

NETE0519-ISEC0513

Ciphertext-only Attack

Collect ciphertexts of several messages encrypted using the same encryption algorithm and try to recover plaintexts or encrypting key(s).

Given: C1 = Ek(P1), C2=Ek(P2), ..., Ci=Ek(Pi)

Deduce: Either P1, P2, …, Pi; k; or an algorithm to infer Pi+1 from Ci+1=Ek(Pi+1)

14

NETE0519-ISEC0513

Known-plaintext Attack

Able to collect ciphertext of several messages and corresponding plaintext, and try to resolve the encrypting key(s).

Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi)Deduce: Either k, or an algorithm

to infer Pi+1 from Ci+1=Ek(Pi+1)

15

NETE0519-ISEC0513

Chosen-plaintext Attack

Able to collect ciphertext of several messages and associated plaintext, and also able to choose the plaintext that gets encrypted. Try to deduce the encrypting key(s).

More powerful than known-plaintext attack

Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi)

where the cryptanalyst gets to choose P1,…, Pi

Deduce: Either k, or an algorithm

to infer Pi+1 from Ci+1=Ek(Pi+1)

16

NETE0519-ISEC0513

Chosen-ciphertext Attack

Able to choose different ciphertext to be decrypted and has access to the decrypted plaintext. Try to deduce the key

E.g. has access to a tamperproof box that does automatically decryption.

Given: C1, P1 = Dk(C1), C2, P2=Dk(C2), ..., Ci, Pi=Dk(Ci)Deduce: k

Primarily applicable to public-key algorithms.

17

More Definitions

unconditional security no matter how much computer power or time is

available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

computational security given limited computing resources (eg time needed for

calculations is greater than age of universe), the cipher cannot be broken

18NETE0519-ISEC0513

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

19

NETE0519-ISEC0513

Substitution Ciphers

Character in plaintext is substituted for another character in ciphertext

Caesar Cipher: each plaintext character is replaced by the character three to the right modulo 26. E.g. AD, BE, XA

ROT13: commonly found in UNIX systems. Every plaintext character is rotated 13 places.

20

NETE0519-ISEC0513

Caesar Cipher

earliest known substitution cipher by Julius Caesar first attested use in military affairs replaces each letter by 3rd letter on example:

meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB

21

NETE0519-ISEC0513

K=3

Inner: ciphertextOuter: plaintext

22

Caesar Cipher (cont.)

NETE0519-ISEC0513

Caesar Cipher (cont.)

can define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

mathematically give each letter a numbera b c d e f g h i j k l m n o p q r s t u v w x y z

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

then have Caesar cipher as:c = E(p) = (p + k) mod (26)p = D(c) = (c – k) mod (26)

23

NETE0519-ISEC0513

Cryptanalysis of Caesar Cipher

only have 26 possible ciphers A maps to A,B,..Z

could simply try each in turn a brute force search given ciphertext, just try all shifts of letters do need to recognize when have plaintext eg. break ciphertext "GCUA VQ DTGCM"

24

Monoalphabetic Cipher

rather than just shifting the alphabet could shuffle (jumble) the letters arbitrarily each plaintext letter maps to a different random ciphertext

letter hence key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyzCipher: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA

25NETE0519-ISEC0513

Monoalphabetic Cipher Security

now have a total of 26! = 4 x 1026 keys with so many keys, might think is secure but would be !!!WRONG!!! problem is language characteristics

26NETE0519-ISEC0513

Language Redundancy and Cryptanalysis

human languages are redundant eg "th lrd s m shphrd shll nt wnt" letters are not equally commonly used in English E is by far the most common letter

followed by T,R,N,I,O,A,S other letters like Z,J,K,Q,X are fairly rare have tables of single, double & triple letter frequencies for

various languages

27NETE0519-ISEC0513

English Letter Frequencies

28NETE0519-ISEC0513

Use in Cryptanalysis key concept - monoalphabetic substitution ciphers do not

change relative letter frequencies discovered by Arabian scientists in 9th century calculate letter frequencies for ciphertext compare counts/plots against known values if caesar cipher look for common peaks/troughs

peaks at: A-E-I triple, NO pair, RST triple troughs at: JK, X-Z

for monoalphabetic must identify each letter tables of common double/triple letters help

29NETE0519-ISEC0513

Example Cryptanalysis

given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ

VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX

EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

count relative letter frequencies (see text) guess P & Z are e and t guess ZW is th and hence ZWP is the proceeding with trial and error finally get:

it was disclosed yesterday that several informal but

direct contacts have been made with political

representatives of the viet cong in moscow

30NETE0519-ISEC0513

Vigenère Cipher

simplest polyalphabetic substitution cipher effectively multiple caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse

31NETE0519-ISEC0513

Example of Vigenère Cipher

write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive

key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

32NETE0519-ISEC0513

Transposition Ciphers

now consider classical transposition or permutation ciphers

these hide the message by rearranging the letter order

without altering the actual letters used can recognise these since have the same

frequency distribution as the original text

33NETE0519-ISEC0513

Rail Fence cipher

write message letters out diagonally over a number of rows then read off cipher row by row eg. write message out as:

m e m a t r h t g p r y

e t e f e t e o a a t

giving ciphertextMEMATRHTGPRYETEFETEOAAT

34NETE0519-ISEC0513

Row Transposition Ciphers

a more complex transposition write letters of message out in rows over a

specified number of columns then reorder the columns according to some key

before reading off the rowsKey: 3 4 2 1 5 6 7Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y zCiphertext: APTMTTNAAODWTSUOCOIXKNLYPETZ

35NETE0519-ISEC0513

NETE0519-ISEC0513

Steganography

Plaintext can be hidden by two ways: Steganography: conceal the existence of the message Cryptography: render the message unintelligible to outsiders

using various kinds of transformation of the text Examples of Steganography

Character marking: overwrite text with pencil Invisible ink: use special substance Pin punctures: pin puncture on selected letters

36

NETE0519-ISEC0513

One-Time Pad

One-time pad is a large non-repeating set of truly random key letters Encryption is a additional modulo 26 of plaintext character Pad length must be equal to the message length !!! For example:

Message: ONETIMEPAD Pad Sequence: TBFRGFARFM Ciphertext: IPKLPSFHGQBecauseO+T mod 26 = I 15+20 mod 26 = 9N+B mod 26 = P 14+2 mod 26 = 16E+F mod 26 = K, etc.

DecryptionP+K mod 26 = C P = C-K mod 26I-T mod 26 = 9-20 mod 26 = -11 mod 26 = -11+26 mod 26 = 15 mod 26 = O

37

One-Time Pad (cont.)

if a truly random key as long as the message is used, the cipher will be secure

called a One-Time pad is unbreakable since ciphertext bears no statistical

relationship to the plaintext since for any plaintext & any ciphertext there exists a

key mapping one to other can only use the key once though problems in generation & safe distribution of key

38NETE0519-ISEC0513

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

39

NETE0519-ISEC0513

Cryptographic ProcessMessage

m1 m2 mn

Encryption

c1 c2 cn

Ciphertext

Message

m1 m2 mn

Decryption

c1 c2 cn

Ciphertext

40

NETE0519-ISEC0513

Block Cipher VS Stream Cipher

Block cipher: divides entire message in to blocks used to produce ciphertext.

Stream cipher: encrypts a data stream one bit or one byte at a time.

41

Stream Ciphers

process message bit by bit (as a stream) have a pseudo random keystream combined (XOR) with plaintext bit by bit randomness of stream key completely destroys statistically

properties in message Ci = Mi XOR StreamKeyi

but must never reuse stream key otherwise can recover messages (cf book cipher)

42NETE0519-ISEC0513

Stream Cipher Structure

43NETE0519-ISEC0513

Stream Cipher Properties

some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity

properly designed, can be as secure as a block cipher with same size key

but usually simpler & faster

44NETE0519-ISEC0513

RC4

a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effective variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP) key forms random permutation of all 8-bit values uses that permutation to scramble input info processed a

byte at a time

45NETE0519-ISEC0513

RC4 Key Schedule

starts with an array S of numbers: 0..255 use key to well and truly shuffle S forms internal state of the cipher

for i = 0 to 255 doS[i] = iT[i] = K[i mod keylen])

j = 0

for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])

46NETE0519-ISEC0513

RC4 Encryption

encryption continues shuffling array values sum of shuffled pair selects "stream key" value from

permutation XOR S[t] with next byte of message to en/decrypt

i = j = 0

for each message byte Mi

i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])t = (S[i] + S[j]) (mod 256)

Ci = Mi XOR S[t]

47NETE0519-ISEC0513

RC4 Overview

48NETE0519-ISEC0513

RC4 Security

claimed secure against known attacks have some analyses, none practical

result is very non-linear since RC4 is a stream cipher, must never reuse a

key have a concern with WEP, but due to key handling

rather than RC4 itself

49NETE0519-ISEC0513

Block Cipher Principles

most symmetric block ciphers are based on a Feistel Cipher Structure

needed since must be able to decrypt ciphertext to recover messages efficiently

block ciphers look like an extremely large substitution would need table of 264 entries for a 64-bit block instead create from smaller building blocks using idea of a product cipher

50NETE0519-ISEC0513

Ideal Block Cipher

51NETE0519-ISEC0513

Claude Shannon and Substitution-Permutation Ciphers

Claude Shannon introduced idea of substitution-permutation (S-P) networks in 1949 paper

form basis of modern block ciphers S-P nets are based on the two primitive cryptographic

operations seen before: substitution (S-box) permutation (P-box)

provide confusion & diffusion of message & key

NETE0519-ISEC0513 52

NETE0519-ISEC0513

Diffusion and Confusion

Confusion: hard to find any relationship between ciphertext and key.

Diffusion: spreads influence of individual plaintext or key bits over as much of the ciphertext as possible.

In particular, one bit change of plaintext or key must increase the difficulty of cryptanalysis.

53

NETE0519-ISEC0513

Block Cipher

Divide a message M into m1, …, mn Add padding to last block

Use Ek to produce (ciphertext blocks) x1, …, xn

Use Dk to recover M from m1, …, mn

Modes of Block Ciphers: Electronic Codebook Cipher Block Chaining Cipher Feedback Output Feedback Counter (CTR)

54

NETE0519-ISEC0513

Electronic Codebook

55

NETE0519-ISEC0513

Electronic Codebook (cont’d)

Ideal for short amount of data transfer e.g. encryption key ECB produces the same message pattern if using the

same input. Not secure for lengthy message, easy for cryptanalysis.

56

NETE0519-ISEC0513

Cipher Block Chaining

57

NETE0519-ISEC0513

Cipher Feedback

58

NETE0519-ISEC0513

Output Feedback

59

Counter (CTR)

a “new” mode, though proposed early on similar to OFB but encrypts counter value rather

than any feedback value must have a different key & counter value for every

plaintext block (never reused)Ci = Pi XOR Oi

Oi = DESK1(i)

uses: high-speed network encryptions

60NETE0519-ISEC0513

Counter (CTR) (cont.)

61NETE0519-ISEC0513

Advantages and Limitations of CTR

efficiency can do parallel encryptions in h/w or s/w can preprocess in advance of need good for bursty high speed links

random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values,

otherwise could break (cf OFB)

62NETE0519-ISEC0513

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

63

NETE0519-ISEC0513 64

Feistel Cipher Structure

Virtually all conventional block encryption algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973

The realization of a Fesitel Network depends on the choice of the following parameters and design features (see next slide):

NETE0519-ISEC0513 65

Feistel Cipher Structure (cont.) Block size: larger block sizes mean greater security Key Size: larger key size means greater security Number of rounds: multiple rounds offer increasing

security Subkey generation algorithm: greater complexity will

lead to greater difficulty of cryptanalysis. Fast software encryption/decryption: the speed of

execution of the algorithm becomes a concern Roung Function (F): Greater complexity is better,

resistance to cryptanalysis

NETE0519-ISEC0513

Feistel Encryption and Decryption

66

NETE0519-ISEC0513

Proof: LD1 = RE15

Encryption side:

LE16 = RE15

RE16 = LE15 F(RE15, K16)Decryption side:

LD1 = RD0 = LE16 = RE15

RD1 = LD0 F(RD0, K16)

= RE16 F(RE15, K16)

= [LE15 F(RE15, K16)] F(RE15, K16)

= LE15 [F(RE15, K16) F(RE15, K16)]

= LE15 0

= LE15

67

Data Encryption Standard (DES)

most widely used block cipher in world adopted in 1977 by NBS (now NIST)

as FIPS PUB 46 encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security

68NETE0519-ISEC0513

DES History

IBM developed Lucifer cipher by team led by Feistel in late 60’s used 64-bit data blocks with 128-bit key

then redeveloped as a commercial cipher with input from NSA and others

in 1973 NBS issued request for proposals for a national cipher standard

IBM submitted their revised Lucifer which was eventually accepted as the DES

69NETE0519-ISEC0513

DES Design Controversy

although DES standard is public was considerable controversy over design

in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified

subsequent events and public analysis show in fact design was appropriate

use of DES has flourished especially in financial applications still standardised for legacy application use

70NETE0519-ISEC0513

NETE0519-ISEC0513

Data Encryption Standard (DES)

A block of 64-bit data is encrypted using 56-bit key to produce a 64-bit block of ciphertext.

Decryption can be done by encrypting the ciphertext using the same key.

71

NETE0519-ISEC0513

DES Encryption

72

NETE0519-ISEC0513

Single Round of DES Encryption

73

NETE0519-ISEC0513

Permutation Table for DES

74

NETE0519-ISEC0513

Permutation Tables for DES

75

NETE0519-ISEC0513

DES Key Schedule Calculation

Permuted Choice 1 and 2

76

NETE0519-ISEC0513

Calculation of F(R, K)

1. R is expanded to 48 bits.2. The expanded R is XORed with 48-bit K.3. Split 48-bit data into 8 groups of 6-bit data to enter S-Boxes4. For each of the group, do the following:

1. For the 6-bit data to enter each Si, 1st and 6th bits form a 2-bit binary number to identity the row number in Si.

2. The decimal value of 2nd – 5th bits identify the column number in Si.

3. The selected decimal value from Si is then converted into 4-bit binary output of Si.

77

NETE0519-ISEC0513

DES S-Boxes

Permutation Function

78

NETE0519-ISEC0513

DES S-Boxes (cont.)

79

NETE0519-ISEC0513

DES S-Boxes (cont.)

80

NETE0519-ISEC0513

Example

Input to S5: 100111 1st and 6th bits are 11 -> row 3 2nd-5th bits are 0011 -> column 3 The decimal value in row 3 and column 3 of S5 is 7. The output value of S5 is 0111

2 12 4 1 7 …14 11 2 12 4 … 4 2 1 11 10 …11 8 12 7 1 …

S5

81

NETE0519-ISEC0513

Avalanche Effect

key desirable property of encryption alg where a change of one input or key bit results in changing

approx half output bits making attempts to “home-in” by guessing keys impossible DES exhibits strong avalanche

82

NETE0519-ISEC0513

Avalanche Effect in DES

83

NETE0519-ISEC0513

Strength of DES – Key Size

56-bit keys have 256 = 7.2 x 1016 values brute force search looks hard recent advances have shown is possible

in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! Recently, ....

still must be able to recognize plaintext must now consider alternatives to DES

84

NETE0519-ISEC0513

More about DES If only the attack on DES

is brute force, then use longer key size.

85

NETE0519-ISEC0513

Multiple Encryption & DES

clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search attacks

AES is a new cipher alternative prior to this alternative was to use multiple encryption with

DES implementations Triple-DES (3DES) is the chosen form

86

NETE0519-ISEC0513

3DES with Two-Keys

hence must use 3 encryptions would seem to need 3 distinct keys

but can use 2 keys with E-D-E sequence C = EK1(DK2(EK1(P))) nb encrypt & decrypt equivalent in security if K1=K2 then can work with single DES

standardized in ANSI X9.17 & ISO8732 no current known practical attacks

87

NETE0519-ISEC0513

3DES with Two-Keys (cont.)

88

NETE0519-ISEC0513

Triple-DES with Three-Keys

although are no practical attacks on two-key Triple-DES have some indications

can use Triple-DES with Three-Keys to avoid even these C = EK3(DK2(EK1(P)))

has been adopted by some Internet applications, eg PGP, S/MIME

89

NETE0519-ISEC0513

3DES with Three-Keys (cont.)

90

NETE0519-ISEC0513 91

Other Symmetric Block Ciphers

International Data Encryption Algorithm (IDEA) 128-bit key Used in PGP

Blowfish Easy to implement High execution speed Run in less than 5K of memory

NETE0519-ISEC0513 92

Other Symmetric Block Ciphers

RC5 Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations

Cast-128 Key size from 40 to 128 bits The round function differs from round to round

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

93

NETE0519-ISEC0513

Origins

clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks

can use Triple-DES – but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001

94

NETE0519-ISEC0513

AES Requirements

private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years (+ archival use) provide full specification & design details both C & Java implementations NIST have released all submissions & unclassified

analyses

95

NETE0519-ISEC0513

AES

128-bit plaintext block Key length -> 128, 192, 256 bits 10 rounds for each encryption and decryption 128-bit plaintext is divided into 16 8-bit (1-byte) blocks. 128-bit key is generated to 44 32-bit “words”, and 4

different words will be used in each round 11 sets of 4-word keys are used in 10-round encryption ! Decryption algorithm is not identical to encryption algorithm

96

NETE0519-ISEC0513

AES Parameters

97

AES Key Expansion

98NETE0519-ISEC0513

NETE0519-ISEC0513

AES Encryption and Decryption

XOR

XOR

99

NETE0519-ISEC0513

AES Encryption

4 stages in each round: Substitution bytes -> use S-box for byte-to-byte

substitution Shift rows -> simple row-by-row permutation Mix columns -> a substitution that alters each byte in a

column as a function of all of the bytes in the column Add round keys -> bitwise XOR of the current block with

the key

100

AES Encryption Round

NETE0519-ISEC0513

16 bytes

101

SubBytes

NETE0519-ISEC0513 102

SubBytes (cont.)

NETE0519-ISEC0513

S-box103

SubBytes (cont.)

NETE0519-ISEC0513

Inverse S-box104

SubBytes (cont.)

NETE0519-ISEC0513 105

ShiftRows

NETE0519-ISEC0513 106

MixColumns

NETE0519-ISEC0513 107

MixColumns (cont.)

NETE0519-ISEC0513 108

AddRoundKey

NETE0519-ISEC0513 109

AddRoundKey (cont.)

NETE0519-ISEC0513 110

AES Operations

NETE0519-ISEC0513 111

Implementation Aspects

can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256

entries shift rows is simple byte shift add round key works on byte XOR’s mix columns requires matrix multiply in GF(28) which

works on byte values, can be simplified to use table lookups & byte XOR’s

112NETE0519-ISEC0513

Implementation Aspects (cont.)

can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using

4 table lookups + 4 XORs at a cost of 4Kb to store tables

designers believe this very efficient implementation was a key factor in its selection as the AES cipher

113NETE0519-ISEC0513

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers Vs Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

114

NETE0519-ISEC0513

Design of Symmetric Cryptosystems

A Cryptographic algorithm should be efficient for good use It should be fast and key length should be of the right

length – e.g.; not too short Cryptographic algorithms are not impossible to

break without a key If we try all the combinations, we can get the original

message

2-115115

NETE0519-ISEC0513

Design of Symmetric Cryptosystems (cont.)

The security of a cryptographic algorithm depends on how much work it takes for someone to break it E.g. If it takes 10 mil. years to break a cryptographic

algorithm X using all the computers of a state, X can be thought of as a secure one – reason: cluster computers and quantum computers are powerful enough to crack many current cryptographic algorithms.

116

NETE0519-ISEC0513

Design of Symmetric Cryptosystems (cont.)

Encryption Algorithm Design Should the block size of messages be small or

large? Should the keyspace be large? Should we consider other search rather than

brute-force search?

2-117117

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Problems of Symmetric Cryptography

118

NETE0519-ISEC0513

Placement of Encryption

have two major placement alternatives link encryption

encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys

end-to-end encryption encryption occurs between original source and final

destination need devices at each end with shared keys

119

NETE0519-ISEC0513

Locations of Encryption Devices

120

NETE0519-ISEC0513

Placement of Encryption (cont.)

when using end-to-end encryption must leave headers in clear so network can correctly route information

hence although contents protected, traffic pattern flows are not

ideally want both at once end-to-end protects data contents over entire path and

provides authentication link protects traffic flows from monitoring

121

NETE0519-ISEC0513

Placement of Encryption (cont.)

can place encryption function at various layers in OSI Reference Model link encryption occurs at layers 1 or 2, 3 end-to-end can occur at layers 4, 6, 7 as move higher less information is encrypted but it is

more secure though more complex with more entities and keys

122

NETE0519-ISEC0513

Link Encryption VS End-to-end Encryption

123

NETE0519-ISEC0513

Encryption VS Protocol Level

124

NETE0519-ISEC0513

Traffic Padding

125

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

126

NETE0519-ISEC0513

Key Distribution

The security of symmetric cryptosystem is based on the security of key distribution.

Important process two hosts need a shared key before transmitting a message securely.

Secret key must be securely distributed between hosts, and need to be updated frequently.

But, HOW can we securely distribute the shared key?

127

NETE0519-ISEC0513

Key Exchange with Symmetric Cryptography

Two kinds of keys: Session key

temporary key used for encryption of data between users for one logical session then discarded

Master key used to encrypt and distribute session keys shared by user & key distribution center

Key Distribution Center (KDC) Shares permanent key with hosts Distributes session keys upon the requests of hosts

128

NETE0519-ISEC0513

Key Distribution Scenario

129

NETE0519-ISEC0513

Steps

1. Alice sends a request (IDA, IDB) for a session key and a nonce (N1) to KDC. Nonce may be a random number. What is nonce for?

2. KDC sends an encrypted message to A containing:1. Session key KS

2. Encrypted session key for Bob EKb(KS, IDA)

3. Alice forwards EKb(KS, IDA) to Bob. Bob can decrypt it. (anyone else?)

4. Bob confirms that he has received KS by sending Alice EKs[N2].5. Alice responses by sending f(N2) encrypted with KS.

130

NETE0519-ISEC0513

Hierarchical Key Control

In a very large network, a single KDC is not enough -> a hierarchy of KDCs can be established.

Local KDCs and a global KDC Local KDC is responsible for parties in the same domain, whereas

global KDC is taking care of communications of parties in different domains.

131

Key Distribution Issues

hierarchies of KDC’s required for large networks, but must trust each other

session key lifetimes should be limited for greater security

use of automatic key distribution on behalf of users, but must trust system

use of decentralized key distribution controlling key usage

132NETE0519-ISEC0513

NETE0519-ISEC0513

Session Key Lifetime

The more frequently session keys are exchanged, the more secure they are.

However, each session key distribution causes delays. In connection-oriented protocols, a new session key is

issued for each connection. However, if the connection is open for a long time, it may

be needed to retransmit a new session key. In connectionless protocols, not obvious how often the new

session key is exchanged. A better strategy is to use a given session key for a certain

fixed period only or for a certain number of transaction.

133

NETE0519-ISEC0513

A Transparent Key Control Scheme

134

NETE0519-ISEC0513

Decentralized Key Control

Centralized Key Control -> KDC is normally assumed to be trusted and secured from attacks.

However, attacks may occur. -> try decentralized approach

Decentralization is suitable for local connection. Involved parties need a master key between pairs of

parties as many as [n(n-1)]/2 keys among n users.

135

NETE0519-ISEC0513

Decentralized Key Distribution

136

NETE0519-ISEC0513

Decentralized Key Distribution (cont.)

1. Alice and Bob share a master key MKm.

2. Alice sends a request for a session key with a nonce N1 to Bob.

3. Bob sends KS encrypted with shared master key MKm. The message contains a nonce N2.

4. Alice responses with f(N2) encrypted with the session key.

137

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

138

Random Numbers

many uses of random numbers in cryptography nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad

in all cases its critical that these values be statistically random, uniform distribution, independent unpredictability of future values from previous values

139NETE0519-ISEC0513

Pseudorandom Number Generators (PRNGs)

often use deterministic algorithmic techniques to create “random numbers” although are not truly random can pass many tests of “randomness”

known as “pseudorandom numbers” created by “Pseudorandom Number Generators

(PRNGs)”

140NETE0519-ISEC0513

Using Block Ciphers as PRNGs

for cryptographic applications, can use a block cipher to generate random numbers

often for creating session keys from master key Counter Mode

Xi = EKm[i]

Output Feedback ModeXi = EKm[Xi-1]

141NETE0519-ISEC0513

ANSI X9.17 PRG

142NETE0519-ISEC0513

Seed value

Date/time

ANSI X9.17 PRG (cont.)

It uses date/time & seed inputs and 3 triple-DES encryptions to generate a new seed & random value. DTi - Date/time value at the beginning of ith generation stage Vi - Seed value at the beginning of ith generation stage Ri - Pseudorandom number produced by the ith generation stage K1, K2 - DES keys used for each stage

Then compute successive values as: Ri = EDE([K1, K2], [Vi XOR EDE([K1, K2], DTi)]) Vi+1 = EDE([K1, K2], [Ri XOR EDE([K1, K2], DTi)])

NETE0519-ISEC0513 143

Natural Random Noise

best source is natural randomness in real world find a regular but random event and monitor do generally need special h/w to do this

eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc

starting to see such h/w in new CPU's problems of bias or uneven distribution in signal

have to compensate for this when sample and use best to only use a few noisiest bits from each sample

144NETE0519-ISEC0513

Published Sources

a few published collections of random numbers Rand Co, in 1955, published 1 million numbers

generated using an electronic roulette wheel has been used in some cipher designs cf Khafre

earlier Tippett in 1927 published a collection issues are that:

these are limited too well-known for most uses

145NETE0519-ISEC0513

NETE0519-ISEC0513

Outline

Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography

146

NETE0519-ISEC0513

Problems of Symmetric Cryptography

Keys must be distributed in secret. Keys are valuable as all the messages they encrypt.

If a key is compromised, then so the security of the entire system. Not scalable -> assume that each pair of total n users shares

different secrets. Number of keys needed is n(n-1)/2 keys Algorithms are easy to break compared to public-key cryptographic

algorithms However symmetric one can be performed faster -> less time -> less

power consumption -> suitable for being implemented in mobile devices

Lack of necessary security services e.g. non repudiation, provide low-level of integrity check

147

Questions?

Next weekPublic-key Cryptography

NETE0519-ISEC0513 148

Discussion

Discuss two differences between Block Cipher and Stream Cipher

Explain how symmetric cryptography can provide authentication

Suggest a key distribution technique that provides offline key generation and distribution

NETE0519-ISEC0513 149