cnit 141 cryptography for computer networks · • des: 64 bit • aes: 128 bit • chosen to fit...
TRANSCRIPT
![Page 1: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/1.jpg)
CNIT 141 Cryptography for Computer Networks
4. Block Ciphers
![Page 2: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/2.jpg)
Topics
• What is a Block Cipher
• How to Construct Block Ciphers
• The Advanced Encryption Standard (AES)
• Implementing AES
• Modes of Operation
• How Things Can Go Wrong
![Page 3: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/3.jpg)
History
• US: Federal standard: DES (1979 - 2005)
• KGB: GOST 28147-89 (1990 - present)
• in 2000, NIST selected AES, developed in Belgium
• They are all block ciphers
![Page 4: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/4.jpg)
What is a Block Cipher
![Page 5: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/5.jpg)
Block Cipher
E Encryption algorithm K Key P Plaintext block C Ciphertext block
C = E(K, P) D Decryption algorithm
P = D(K, C)
![Page 6: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/6.jpg)
Security Goals
• Block cipher should be a pseudorandom permutation (PRP)
• Attacker can't compute output without the key
• Attackers should be unable to find patterns in the inputs/output values
• The ciphertext should appear random
![Page 7: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/7.jpg)
Block Size
• DES: 64 bit
• AES: 128 bit
• Chosen to fit into registers of CPUs for speed
• Block sizes below 64 are vulnerable to a codebook attack
• Encrypt every possible plaintext, place in a codebook
• Look up blocks of ciphertext in the codebook
![Page 8: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/8.jpg)
How to Construct Block Ciphers
![Page 9: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/9.jpg)
Two Techniques
• Substitution-permutation (AES)
• Feistel (DES)
![Page 10: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/10.jpg)
Rounds
• R is a round --in practice, a simple transformation
• A block cipher with three rounds:
• C = R3(R2(R1(P)))
• iR is the inverse round function
• I = iR1(iR2(iR3(C)))
![Page 11: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/11.jpg)
Round Key
• The round functions R1 R2 R3 use the same algorithm
• But a different round key
• Round keys are K1, K2, K3, ... derived from the main key K using a key schedule
![Page 12: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/12.jpg)
The Slide Attack and Round Keys
• Consider a block cipher with three rounds, and with all the round keys identical
![Page 13: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/13.jpg)
The Slide Attack and Round Keys
• If an attacker can find plaintext blocks with P2 = R(P1)
• That implies C2 = R(C1)
• Which often helps to deduce the key
![Page 14: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/14.jpg)
The Slide Attack and Round Keys
• The solution is to make all round keys different
• Note: the key schedule in AES is not one-way
• Attacker can compute K from any Ki
• This exposes it to side-channel attacks, like measuring electromagnetic emanations
![Page 15: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/15.jpg)
Substitution-Permutation Networks
• Confusion means that each ciphertext bit depends on several key bits
• Provided by substitution using S-boxes
• Diffusion means that changing a bit of plaintext changes many bits in the ciphertext
• Provided by permutation
![Page 16: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/16.jpg)
Feistel Schemes
• Only half the plaintext is encrypted in each round
• By the F substitution-permutation function
• Halves are swapped in each round
• DES uses 16 Feistel rounds
![Page 17: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/17.jpg)
![Page 18: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/18.jpg)
The Advanced Encryption Standard (AES)
![Page 19: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/19.jpg)
DES
• DES had a 56-bit key
• Cracked by brute force in 1997
• 3DES was a stronger version
• Still considered strong, but slower than AES
• AES approved as the NIST standard in 2000
![Page 20: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/20.jpg)
• Link Ch 4a
![Page 21: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/21.jpg)
![Page 22: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/22.jpg)
![Page 23: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/23.jpg)
![Page 24: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/24.jpg)
AES in Python
from Crypto.Cipher import AES plaintext = "DEAD MEN TELL NO" key = "AAAABBBBCCCCDDDD" cipher = AES.new(key) ciphertext = cipher.encrypt(plaintext) print ciphertext ??k٨\?U?`??? print ciphertext.encode("hex") 8fc96bdbb85c8155896088b4ca201b7e print cipher.decrypt(ciphertext) DEAD MEN TELL NO
![Page 25: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/25.jpg)
Implementing AES
![Page 26: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/26.jpg)
Improving Efficiency• Implementing each step
as a separate function works, but it's slow
• Combining them with "table-based implementations" and "native instructions" is faster
• Using XORs and table lookups
![Page 27: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/27.jpg)
OpenSSL Code is Table-Based
![Page 28: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/28.jpg)
Timing Attacks
• The time required for encryption depends on the key
• Measuring timing leaks information about the key
• This is a problem with any efficient coding
• You could use slow code that wastes time
• A better solution relies on hardware
![Page 29: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/29.jpg)
Native Instructions• AES-NI
• Processor provides dedicated assembly instructions that perform AES
• Plaintext in register xmm0
• Round keys in xmm5 to xmm15
• Ten times faster with NI
![Page 30: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/30.jpg)
Is AES Secure?
• AES implements many good design principles
• Proven to resist many classes of cryptoanalytic attacks
• But no one can foresee all possible future attacks
• So far, no significant weakness in AES-128 has been found
![Page 31: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/31.jpg)
Modes of Operation
![Page 32: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/32.jpg)
Electronic Code Book (ECB)
• Each plaintext block is encrypted the same way
• Identical plaintext blocks produce identical ciphertext blocks
![Page 33: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/33.jpg)
AES-ECB• If plaintext repeats, so does ciphertext
plaintext = "DEAD MEN TELL NODEAD MEN TELL NO" ciphertext = cipher.encrypt(plaintext) print ciphertext.encode("hex")
![Page 34: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/34.jpg)
Staples Android App
• Link Ch 4b
![Page 35: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/35.jpg)
Encrypted Password Repeats
![Page 36: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/36.jpg)
ECB Mode• Encrypted image retains large blocks of solid
color
![Page 37: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/37.jpg)
Cipher Block Chaining (CBC)
• Uses a key and an initialization vector (IV) • Output of one block is the IV for the next block • IV is not secret; sent in the clear
![Page 38: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/38.jpg)
CBC Mode
• Encrypted image shows no patterns
![Page 39: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/39.jpg)
Choosing IV
• If the same IV is used every time
• The first block is always encrypted the same way
• Messages with the same first plaintext block will have identical first ciphertext blocks
![Page 40: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/40.jpg)
Parallelism
• ECB can be computed in parallel
• Each block is independent
• CBC requires serial processing
• Output of each block used to encrypt the next block
![Page 41: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/41.jpg)
Message Length
• AES requires 16-byte blocks of plaintext
• Messages must be padded to make them long enough
![Page 42: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/42.jpg)
PKCS#7 Padding
• The last byte of the plaintext is always between '\x00' and '\10'
• Discard that many bytes to get original plaintext
![Page 43: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/43.jpg)
Padding Oracle Attack
• Almost everything uses PKCS#7 padding
• But if the system displays a "Padding Error" message the whole system shatters like glass
• That message is sufficient side-channel information to allow an attacker to forge messages without the key
![Page 44: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/44.jpg)
Ciphertext Stealing
• Pad with zeroes
• Swap last two blocks of ciphertext
• Discard extra bytes at the end
• Images on next slides from Wikipedia
![Page 45: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/45.jpg)
Ciphertext Stealing Encryption
![Page 46: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/46.jpg)
Ciphertext Stealing Decryption
![Page 47: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/47.jpg)
Security of Ciphertext Stealing
• No major problems
• Inelegant and difficult to get right
• NIST SP 800-38A specifies three different ways to implement it
• Rarely used
![Page 48: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/48.jpg)
Counter (CTR) Mode
![Page 49: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/49.jpg)
C1
K E
C2
K E
C3
K E
Counter (CTR) Mode
• Produces a pseudorandom byte stream
• XOR with plaintext to encrypt
![Page 50: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/50.jpg)
Nonce
• Nonce (N) used to produce C1, C2, C3, etc.
• C1 = N ^ 1 • C2 = N ^ 2 • C3 = N ^ 3 • etc.
• Use a different N for each message
• N is not secret, sent in the clear
![Page 51: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/51.jpg)
No Padding
• CTR mode uses a block cipher to produce a pseudorandom byte stream
• Creates a stream cipher
• Message can have any length
• No padding required
![Page 52: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/52.jpg)
Parallelizing
• CTR is faster than any other mode
• Stream can be computed in advance, and in parallel
• Before even knowing the plaintext
![Page 53: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/53.jpg)
How Things Can Go Wrong
![Page 54: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/54.jpg)
Two Attacks
• Meet-in-the-middle
• Padding oracle
![Page 55: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/55.jpg)
Meet-in-the-Middle Attacks
• 3DES does three rounds of DES
• Why not 2DES?
University of Houston
![Page 56: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/56.jpg)
Attacking 2DES
• Two 56-bit keys, total 112 bits
• End-to-end brute force would take 2^112 calculations
![Page 57: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/57.jpg)
Attacking 2DES
• Attacker inputs known P and gets C
• Wants to find K1, K2
![Page 58: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/58.jpg)
Attacking 2DES• Make a list of E(K1, P) for all 2^56 values of K1
• Make a list of D(K2, P) for all 2^56 values of K2
• Find the item with the same values in each list
• This finds K1 and K2 with 2^57 computations
![Page 59: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/59.jpg)
Meet-in-the-Middle Attack on 3DES
• One table has 2^56 entries • The other one has 2^112 entries • 3DES has 112 bits of security
![Page 60: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/60.jpg)
Padding Oracle
![Page 61: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/61.jpg)
Padding Oracle
![Page 62: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/62.jpg)
Padding Oracle
• Change the last byte in second block
• This changes the 17 bytes shown in red
![Page 63: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/63.jpg)
Padding Oracle
• Try all 256 values of last byte in second block • One of them has valid padding of '\x01' • This determines the orange byte
![Page 64: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/64.jpg)
Padding Oracle
• Continue, 256 guesses finds the next orange byte
![Page 65: CNIT 141 Cryptography for Computer Networks · • DES: 64 bit • AES: 128 bit • Chosen to fit into registers of CPUs for speed • Block sizes below 64 are vulnerable to a codebook](https://reader034.vdocuments.site/reader034/viewer/2022042121/5e9b5fb2d78c5c695b27231b/html5/thumbnails/65.jpg)