ee579t/2 #1 spring 2003 © 2000-2003, richard a. stanley ee579t / cs525t network security 2:...

Spring 2003© 2000-2003, Richard A. Stanley

EE579T/2 #1

EE579T / CS525TNetwork Security

2: Symmetric Block Ciphers

Prof. Richard A. Stanley


EE579T/2 #2

Overview of Tonight’s Class

• Class list updates

• Course syllabus

• Course project introduction

• Review of last week’s class

• Introduction to network security issues

• An overview of block ciphers

• Introduction to key distribution


EE579T/2 #3

Syllabus (subject to adjustment)Class Worcester Waltham Topic

1 1/14/03 1/16/03 Introduction & Computer Security Review2 1/21/03 1/23/03 Symmetric Ciphers3 1/28/03 1/30/03 Asymmetric Ciphers4 2/4/03 2/6/03 Network Authentication5 2/11/03 2/13/03 IPSec6 2/18/03 2/20/03 SSL7 2/25/03 2/27/03 Vulnerability Assessment8 3/4/03 3/6/03 Introduction to Network-based Attacks 9 3/11/03 3/13/03 SNMP and security

10 3/18/03 3/20/03 Firewalls11 3/25/03 3/27/03 Wireless Networks and Security 12 4/1/03 4/3/03 Legal and Ethical Issues13 4/8/03 4/10/03 Project Presentations - 114 4/15/03 4/17/03 Project Presentations - 215 4/22/03 4/24/03 Contingency week


EE579T/2 #4

Course Projects Overview• Teams of 2-4 individuals, 4 preferred

• Identify, through research, a meaningful network security problem (reported on as historical or one you can hypothesize)

• Analyze the problem– Why did it occur?– How could you have prevented or mitigated it?

• Prepare report and present to the class


EE579T/2 #5

Last Week...• Computer security is a real need in real

systems

• Without computer security, network security is a pipedream

• Network security is an even more difficult problem than computer security, for a number of reasons

• Absolute security does not exist


EE579T/2 #6

Networks• A network is an interconnected group of

communicating devices.• Two primary network types

– Circuit-switched (connection oriented)– Packet-switched (connectionless)

• Span– WAN, MAN, LAN– So what?


EE579T/2 #7

Network Topology

• The topology of a network is a view of its interconnections, as they would be seen by an observer looking down from great height

• Topology is important because it has implications for security

• Three major topologies: – star

– buss

– ring


EE579T/2 #8

Some Network Security Issues• Users not necessarily registered at the node they

are accessing– How to authenticate users?

– What is basis for access control decisions?

• Some options:– User ID

– User address

– Service being invoked

– Cryptographic-based solutions


EE579T/2 #9

Internetworking• Internetworking is the interconnection of

networks

• The Internet is an internetwork; all internetworks are not the Internet

• Very few modern networks exist in isolation; most are internetworked

• This has important security and legal implications


EE579T/2 #10

Internetworking Concepts

• Networks are interconnected by routers or gateways– More about this later in the course

• Routers route a packet using the destination network address, not the destination host address– Analogous to the world postal system and how

letters are routed


EE579T/2 #11

Network Facts

• Most computers today are connected to a network (consider the Internet), at least for part of the time they are in operation

• Most local networks are internetworked

• How to provide authenticity, integrity, confidentiality, availability?

• Cryptography can help provide all the security services except availability


EE579T/2 #12

Encryption Primer• Cryptography = “secret writing”

• Input = plaintext

• Output = ciphertext

• Ciphertext = plaintext + key (in general)– Intention is that the cipher text be unintelligible to an eavesdropper

• Two basic types of cipher– Symmetric– Asymmetric


EE579T/2 #13

Definitions

• Encryption– The process of turning plaintext into ciphertext

• Decryption– The process of turning ciphertext into plaintext

• Cryptanalysis– The process of analyzing ciphertext with the

goal of recovering the plaintext, without the key


EE579T/2 #14

Attacks on Cryptosystems

• Ciphertext-only attack

• Known-plaintext attack

• Chosen-plaintext attack

• Adaptive-chosen-plaintext attack

• Chosen ciphertext attack

• Chosen-key attack (rare, difficult)

• Rubber-hose cryptanalysis (common, easy)Source: Bruce Schneier, Applied Cryptography--Second Edition, pp, 5-7


EE579T/2 #15

Crypto Algorithm Security

• Unconditionally secure if, no matter how much ciphertext a cryptanalysis has, there is not enough information to recover the plaintext

• Computationally secure if it cannot be broken with available resources, either current or future

Source: Bruce Schneier, Applied Cryptography--Second Edition, pg. 8


EE579T/2 #16

Encryption

• There are many ways to render plaintext into ciphertext

• Only ONE provably secure cryptosystem– One-time pad– Secure even if pad or operator captured– BUT…errors can lead to decryption– http://www.cia.gov/csi/books/venona/preface.htm


EE579T/2 #17

One Time Pad


EE579T/2 #18

Why Use Anything Except One-time Pads?

• Speed of encipherment

• Letters vs. numbers

• Logistics

• Usability

• Error rates


EE579T/2 #19

Other Crypto Systems

• Substitution ciphers– Most famous is the Caesar cipher:

monoalphabetic substitution with offset = 3– Children’s decoders usually in this category

• Book ciphers

• Codebooks


EE579T/2 #20

Problem Areas

• Languages have well-known statistics– E.g., “e” is most common letter in English– This can be exploited for cryptanalysis– Thus, substitution ciphers are not very secure– Similar problems plague book ciphers, etc.

• The only way to achieve true security is to make the ciphertext appear as random as possible


EE579T/2 #21

Modern Cryptography Uses Electronic Digital Systems

• Advantages:– Speed– Accuracy– Ability of using complex mathematics

• Disadvantages– Complex equipment– Electronic vulnerabilities– Key management


EE579T/2 #22

Kerckhoffs’ Assumption

• Secrecy must reside solely in the key– It is assumed that the attacker knows the

complete details of the cryptographic algorithm and implementation

• A. Kerckhoffs was a 19th century Dutch cryptographer

• Ergo, Security by obscurity doesn’t work!


EE579T/2 #23

Symmetric CryptographyAlice’s message

Shared private key

Bob

Alice’s message

Shared private key

algorithm


EE579T/2 #24

Cipher Example (Vernam)

• Encipher• Plain: 001 010 011 100

• +key: 111 011 010 101

• Cipher: 110 001 001 001

• Decipher• Cipher: 110 001 001 001

• +key: 111 011 010 101

• Plain: 001 010 011 100

The ciphertext is simply the plain text added to the key,

modulo 2. This is a reversible process, as seen above.


EE579T/2 #25

Why Does This Work?

• Cleartext is a function with known statistics, or even a deterministic function

• Key is a truly random data stream

• Sum of a random function and a non-random function is a random function

• So...crucial that the key be truly random

• This is not easy!


EE579T/2 #26

Vernam Cipher Weaknesses

• Two-way function– If any two of the inputs to the cryptographic

algorithm are known, the third can be calculated

– This allows recovery of the key if the attacker can obtain a plaintext and a ciphertext copy of the same message -- not often a hard task


EE579T/2 #27

Enigma

• Probably history’s most famous cipher machine

• Even today, a good cipher machine

• Capable of billions of billions of text permutations

• Codes broken!

• Depended on security by obscurity--a failure


EE579T/2 #28

Sigaba

Similar in theoryto Enigma.

Designed for strategic(fixed station) use; note

direct punching of teletypewriter paper

tape for transmission.


EE579T/2 #29

How to Achieve Good Cryptography?

• Well-reviewed algorithms– So weaknesses cannot “hide” until after

implementation

• Excellent key generation & management– To maintain secrecy of the key

• Algorithms that are sufficiently complex so as to not permit feasible exhaustive attacks


EE579T/2 #30

More Definitions• Block cipher

– Data is broken into fixed-size blocks, and encrypted a block at a time

– Blocks are padded out if necessary

• Stream cipher– Data is encrypted a bit at a time, as it is presented

to the encryption engine

• Most algorithms in use today are block ciphers


EE579T/2 #31

Feistel Ciphers: Characteristics• Special class of iterated block ciphers

• Ciphertext calculated from plaintext by repeated application of the same transformation or round function

• Encryption and decryption are structurally identical (subkey order reversed for decryption)

• Fast, even in software implementation

• Easily analyzed (i.e., deficiencies more readily found by analysis)


EE579T/2 #32

Feistel Ciphers: Step by Step• Plaintext split into two halves

• Round function f is applied to one half using a subkey

• Output of f is XOR’d with the other half of the plaintext

• Two halves are swapped

• Process repeated for n rounds

• No swap after last round


EE579T/2 #33

Subkey Generation

• Creating the subkeys in a Feistel cipher has a major effect on the overall security of the algorithm– Possible to create weak keys– Changes in the subkey algorithm can result in

effectively different realizations of the algorithm

• DES is based on Feistel rounds, and uses a complex method of subkey generation


EE579T/2 #34

Importance of Feistel Ciphers

• Basis of DES, other important algorithms– Horst Feistel worked for IBM in 1973– IBM’s Lucifer algorithm, based on Feistel

rounds, became the DES standard in 1977• Many other algorithm authors have used Feistel

rounds, or variants thereof, to realize block ciphers• Feistel ciphers are not the only kind of iterative

block cipher


EE579T/2 #35

DES: Feistel Applied

• DES: Data Encryption Standard• Formal specification -- FIPS PUB 46-3, last

affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

• Describes two cryptographic algorithms– DES– TDEA (commonly referred to as 3DES)

• DES based on IBM Lucifer cipher of 1974


EE579T/2 #36

DES Characteristics• 64-bit block cipher• 56-bit key, with additional 8 bits used for

error checking (odd parity on each byte)• Four operating modes

– Electronic Codebook (ECB)– Cipher Block Chaining (CBC)– Cipher Feedback (CFB)– Output Feedback (OFB)


EE579T/2 #37

DES Enciphering Computation

Feistel round


EE579T/2 #38

Initial Permutation


EE579T/2 #39

Cipher Function, f(Rn,Kn)


EE579T/2 #40

How Can This Happen?

• Turn 32-bit plaintext into 48-bit output

• Add to 48-bit key

• Get 32-bit output


EE579T/2 #41

Crypto Function Details

• E-function takes the input to the Feistel round and expands it to 48 bits

• S-boxes (for selection, usually referred to as substitution) permute bits to produce the proper output

• P-function permutes 32-bit output of the S-boxes

• Inverse permutation (IP-1) restores bit order after the 16 Feistel rounds


EE579T/2 #42

E-function


EE579T/2 #43

P-Function


EE579T/2 #44

S-box Example

Result over 8 S-boxes: 48 bits 32 bits


EE579T/2 #45

Key Scheduling


EE579T/2 #46

Permuted Choice 1

C( )

D( )


EE579T/2 #47

Left Shift Schedule

NB: These are circular left shifts


EE579T/2 #48

Permuted Choice 2


EE579T/2 #49

DES Decryption• As DES is a Feistel cipher, decryption uses the

same engine as does encryption

• For decryption:– The DES engine is precisely the same as the

encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)

– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1


EE579T/2 #50

Principal DES Operating Modes-1(FIPS PUB 81)

• Electronic Code Book (ECB)– Encrypts one block at a time with selected key– Simplest implementation of DES– Vulnerability: repeated plaintext can reveal

key, and then all cipher blocks can be decrypted


EE579T/2 #51

ECB


EE579T/2 #52

Principal DES Operating Modes-2(FIPS PUB 81)

• Cipher Block Chaining (CBC)– Input to each block is the output of the previous

block next plaintext block– Initial block XOR’d with an Initialization

Vector (IV)– This approach greatly improves the security of

DES against key searches


EE579T/2 #53

CBC


EE579T/2 #54

Additional DES Modes -1(FIPS PUB 81)

• Cipher Feedback Mode– previous ciphertext block encrypted and output

XOR’d with plaintext block to produce current ciphertext block

– can use feedback that is less than one full data block

– initialization vector used as “seed” for the process.


EE579T/2 #55

CFB


EE579T/2 #56

Additional DES Modes -2 (FIPS PUB 81)

• Output Feedback Mode (OFB)– similar to CFB mode except data XOR’d with

each plaintext block is generated independently of both the plaintext and ciphertext

– initialization vector s0 used as “seed” for a sequence of data blocks si

– each data block si derived from encryption of the previous data block si-1


EE579T/2 #57

OFB


EE579T/2 #58

Importance of DES

• Ubiquitous, U.S. federal standard

• When standardized, 56-bit made cipher computationally secure– This is no longer the case

– DES has been broken using brute force attacks in 56 hours, using recycled computer boards costing less than $250,000 (July 15, 1998)

• Immediate fix: Triple Data Encryption Algorithm (or Triple DES, 3DES)


EE579T/2 #59

TDEA

Encryption

Decryption


EE579T/2 #60

TDEA Realities

• Two keying options– Three separate keys (as shown previous slide)

– Two keys; EK1 = EK3

– Resultant key lengths of 168 or 112 bits• For mathematical reasons we won’t go into here, 3-

key TDEA is only about twice as secure as DES, not 3 times as secure

• Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps


EE579T/2 #61

TDEA Advantages

• Thoroughly analyzed, unlikely to have any hidden vulnerabilities

• Much less vulnerable to brute force attack than DES

• Can be implemented in silicon, with very fast throughput


EE579T/2 #62

TDEA Disadvantages

• Algorithm produces slow software implementations

• Limited to 64-bit block size

• Trebles the key distribution problem of DES


EE579T/2 #63

AES: The Next Generation• Advanced Encryption Standard (FIPS PUB 197)

– Established to counter weaknesses of DES– Based on Rijndael algorithm

• Joan Daemen and Vincent Rijmen, Belgians, authors

– U. S. standard adopted Nov. 26, 2001– Became effective May 26, 2002– Key lengths of 128, 192, and 256 bits– Block size of 128 bits

• In AES, Rijndael allows for other sizes


EE579T/2 #64

Rijndael Structure

• Rijndael is not a Feistel cipher; rather, it uses substitution boxes

• “...typically part of the bits of the intermediate state are simply transposed unchanged to another position”

• “...[each] round transformation is composed of three distinct invertible uniform transformations”


EE579T/2 #65

AES’ Future

• Clearly intended to replace DES & TDEA• Designed for efficient software

implementation• Not yet as thoroughly analyzed as DES• Expect implementations on the market this

year• Probably a long coexistence of TDEA & AES


EE579T/2 #66

Key Types

• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key

distribution, government communications, etc.

• Session– Valid only for current communications session– Destroyed after session terminates


EE579T/2 #67

Key Distribution Problem

• Secret keys must be prepositioned at all locations before secure communications can occur.

• How to do this?– Secure physical transport– Secure electronic transport

• The search for a way to accomplish this led to the development of public key cryptography, which we will study next class


EE579T/2 #68

Summary -1

• Symmetric key cryptography uses one key, shared by all users of the cipher

• There are many weaknesses to basic crypto algorithms like the Vernam cipher

• Feistel ciphers provide a more complex algorithm that permits iterative encryption

• Feistel cipher decryption uses same process as encryption, making process simpler


EE579T/2 #69

Summary - 2

• Block ciphers are widely used• Most commonly used block cipher today is

TDEA, operating in one of 4 modes• TDEA is limited by 64-bit block and key

size, provides poor software implementation• AES chosen to replace TDEA• Should be several years of coexistence


EE579T/2 #70

Homework

• Read Chapter 3 sections 3.3, 3.4, 3.6

• Do following exercises from text:– 2.1a,b– 2.4– 2.5– 2.7

ee579t/2 #1 spring 2003 © 2000-2003, richard a. stanley ee579t / cs525t network security 2:...

Documents

stanley slide

stanley network topology

pipedream network security

stanley network facts

stanley networks

computer security

class slide

important security