ee579t/3 #1 spring 2002 © 2000-2002, richard a. stanley wpi ee579t / cs525t network security 3:...

Spring 2002© 2000-2002, Richard A. Stanley

WPI EE579T/3 #1

EE579T / CS525TNetwork Security

3: Symmetric Block Ciphers

Prof. Richard A. Stanley


WPI EE579T/3 #2

Overview of Tonight’s Class

• Class list issues

• Review of last week’s class

• Network security in the news

• An overview of block ciphers

• Introduction to key distribution


WPI EE579T/3 #3

Last Week...• Networks and internetworks have become ubiquitous• Networking allows interconnection of computers

without much concern for the local OS or machine architecture

• Networking raises many serious security issues, which must be solved

• The pace of network security problem development is exceeding the pace of their solution


WPI EE579T/3 #4

Security in the News

• Complexity is the enemy of security– You have heard this tune before!– Recently discovered that all (with one partial

exception) products designed to perform secure file erasure fail in this task

• Leave NTFS alternate data streams, master file table

• NTFS is a very complex file system

• Complete analysis difficult, often not done

• Complexity level often beyond our control


WPI EE579T/3 #5

Network Security This Week

• Have you been to MyParty?– Worm, written in Visual C++, looks like link to web – Set to spread between 1/24 and 1/29– Mails itself to everyone in your address book who is not

infected (avoids tip-off)– Leaves behind backdoor Trojan Horse, Troj/Msstake-A,

which could allow unauthorized access– Sends message to [email protected] (to track progress?)– Caught by Norton Antivirus 2002 (if up-to-date)– Forced filtering on WPI network to block it


WPI EE579T/3 #6

Encryption Primer• Cryptography = “secret writing”

• Input = plaintext

• Output = ciphertext

• Ciphertext = plaintext + key (in general)– Intention is that the cipher text be unintelligible to an eavesdropper

• Two basic types of cipher– Symmetric– Asymmetric


WPI EE579T/3 #7

Definitions

• Encryption– The process of turning plaintext into ciphertext

• Decryption– The process of turning ciphertext into plaintext

• Cryptanalysis– The process of analyzing ciphertext with the

goal of recovering the plaintext, without the key


WPI EE579T/3 #8

Attacks on Cryptosystems

• Ciphertext-only attack

• Known-plaintext attack

• Chosen-plaintext attack

• Adaptive-chosen-plaintext attack

• Chosen ciphertext attack

• Chosen-key attack (rare, difficult)

• Rubber-hose cryptanalysis (common, easy)Source: Bruce Schneier, Applied Cryptography--Second Edition, pp, 5-7


WPI EE579T/3 #9

Crypto Algorithm Security

• Unconditionally secure if, no matter how much ciphertext a cryptanalysis has, there is not enough information to recover the plaintext

• Computationally secure if it cannot be broken with available resources, either current or future

Source: Bruce Schneier, Applied Cryptography--Second Edition, pg. 8


WPI EE579T/3 #10

Encryption

• There are many ways to render plaintext into ciphertext

• Only ONE provably secure cryptosystem– One-time pad– Secure even if pad or operator captured– BUT…errors can lead to decryption– http://www.cia.gov/csi/books/venona/preface.htm


WPI EE579T/3 #11

One Time Pad


WPI EE579T/3 #12

Why Use Anything Except One-time Pads?

• Speed of encipherment

• Letters vs. numbers

• Logistics

• Usability

• Error rates


WPI EE579T/3 #13

Other Crypto Systems

• Substitution ciphers– Most famous is the Caesar cipher:

monoalphabetic substitution with offset = 3– Children’s decoders usually in this category

• Book ciphers

• Codebooks


WPI EE579T/3 #14

Problem Areas

• Languages have well-known statistics– E.g., “e” is most common letter in English– This can be exploited for cryptanalysis– Thus, substitution ciphers are not very secure– Similar problems plague book ciphers, etc.

• The only way to achieve true security is to make the ciphertext appear as random as possible


WPI EE579T/3 #15

Modern Cryptography Uses Electronic Digital Systems

• Advantages:– Speed– Accuracy– Ability of using complex mathematics

• Disadvantages– Complex equipment– Electronic vulnerabilities– Key management


WPI EE579T/3 #16

Kerckhoffs’ Assumption

• Secrecy must reside solely in the key– It is assumed that the attacker knows the

complete details of the cryptographic algorithm and implementation

• A. Kerckhoffs was a 19th century Dutch cryptographer

• Ergo, Security by obscurity doesn’t work!


WPI EE579T/3 #17

Symmetric CryptographyAlice’s message

Shared private key

Bob

Alice’s message

Shared private key

algorithm


WPI EE579T/3 #18

Cipher Example (Vernam)

• Encipher• Plain: 001 010 011 100

• +key: 111 011 010 101

• Cipher: 110 001 001 001

• Decipher• Cipher: 110 001 001 001

• +key: 111 011 010 101

• Plain: 001 010 011 100

The ciphertext is simply the plain text added to the key,

modulo 2. This is a reversible process, as seen above.


WPI EE579T/3 #19

Why Does This Work?

• Cleartext is a function with known statistics, or even a deterministic function

• Key is a truly random data stream

• Sum of a random function and a non-random function is a random function

• So...crucial that the key be truly random

• This is not easy!


WPI EE579T/3 #20

Vernam Cipher Weaknesses

• Two-way function– If any two of the inputs to the cryptographic

algorithm are known, the third can be calculated

– This allows recovery of the key if the attacker can obtain a plaintext and a ciphertext copy of the same message -- not often a hard task


WPI EE579T/3 #21

Enigma

• Probably history’s most famous cipher machine

• Even today, a good cipher machine

• Capable of billions of billions of text permutations

• Codes broken!

• Depended on security by obscurity--a failure


WPI EE579T/3 #22

How to Achieve Good Cryptography?

• Well-reviewed algorithms– So weaknesses cannot “hide” until after

implementation

• Excellent key generation & management– To maintain secrecy of the key

• Algorithms that are sufficiently complex so as to not permit feasible exhaustive attacks


WPI EE579T/3 #23

More Definitions• Block cipher

– Data is broken into fixed-size blocks, and encrypted a block at a time

– Blocks are padded out if necessary

• Stream cipher– Data is encrypted a bit at a time, as it is presented

to the encryption engine

• Most algorithms in use today are block ciphers


WPI EE579T/3 #24

Feistel Ciphers: Characteristics• Special class of iterated block ciphers

• Ciphertext calculated from plaintext by repeated application of the same transformation or round function

• Encryption and decryption are structurally identical (subkey order reversed for decryption)

• Fast, even in software implementation

• Easily analyzed (i.e., deficiencies more readily found by analysis)


WPI EE579T/3 #25

Feistel Ciphers: Step by Step• Plaintext split into two halves

• Round function f is applied to one half using a subkey

• Output of f is XOR’d with the other half of the plaintext

• Two halves are swapped

• Process repeated for n rounds

• No swap after last round


WPI EE579T/3 #26

Subkey Generation

• Creating the subkeys in a Feistel cipher has a major effect on the overall security of the algorithm– Possible to create weak keys– Changes in the subkey algorithm can result in

effectively different realizations of the algorithm

• DES is based on Feistel rounds, and uses a complex method of subkey generation


WPI EE579T/3 #27

Importance of Feistel Ciphers

• Basis of DES, other important algorithms– Horst Feistel worked for IBM in 1973– IBM’s Lucifer algorithm, based on Feistel

rounds, became the DES standard in 1977• Many other algorithm authors have used Feistel

rounds, or variants thereof, to realize block ciphers• Feistel ciphers are not the only kind of iterative

block cipher


WPI EE579T/3 #28

DES: Feistel Applied

• DES: Data Encryption Standard• Formal specification -- FIPS PUB 46-3, last

affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

• Describes two cryptographic algorithms– DES– TDEA (commonly referred to as 3DES)

• DES based on IBM Lucifer cipher of 1974


WPI EE579T/3 #29

DES Characteristics• 64-bit block cipher• 56-bit key, with additional 8 bits used for

error checking (odd parity on each byte)• Four operating modes

– Electronic Codebook (ECB)– Cipher Block Chaining (CBC)– Cipher Feedback (CFB)– Output Feedback (OFB)


WPI EE579T/3 #30

DES Enciphering Computation

Feistel round


WPI EE579T/3 #31

Initial Permutation


WPI EE579T/3 #32

Cipher Function, f(Rn,Kn)


WPI EE579T/3 #33

How Can This Happen?

• Turn 32-bit plaintext into 48-bit output

• Add to 48-bit key

• Get 32-bit output


WPI EE579T/3 #34

Crypto Function Details

• E-function takes the input to the Feistel round and expands it to 48 bits

• S-boxes (for selection, usually referred to as substitution) permute bits to produce the proper output

• P-function permutes 32-bit output of the S-boxes

• Inverse permutation (IP-1) restores bit order after the 16 Feistel rounds


WPI EE579T/3 #35

E-function


WPI EE579T/3 #36

P-Function


WPI EE579T/3 #37

S-box Example

Result over 8 S-boxes: 48 bits 32 bits


WPI EE579T/3 #38

Key Scheduling


WPI EE579T/3 #39

Permuted Choice 1

C( )

D( )


WPI EE579T/3 #40

Left Shift Schedule

NB: These are circular left shifts


WPI EE579T/3 #41

Permuted Choice 2


WPI EE579T/3 #42

DES Decryption• As DES is a Feistel cipher, decryption uses the

same engine as does encryption

• For decryption:– The DES engine is precisely the same as the

encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)

– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1


WPI EE579T/3 #43

Principal DES Operating Modes-1(FIPS PUB 81)

• Electronic Code Book (ECB)– Encrypts one block at a time with selected key– Simplest implementation of DES– Vulnerability: repeated plaintext can reveal

key, and then all cipher blocks can be decrypted


WPI EE579T/3 #44

ECB


WPI EE579T/3 #45

Principal DES Operating Modes-2(FIPS PUB 81)

• Cipher Block Chaining (CBC)– Input to each block is the output of the previous

block next plaintext block– Initial block XOR’d with an Initialization

Vector (IV)– This approach greatly improves the security of

DES against key searches


WPI EE579T/3 #46

CBC


WPI EE579T/3 #47

Additional DES Modes -1(FIPS PUB 81)

• Cipher Feedback Mode– previous ciphertext block encrypted and output

XOR’d with plaintext block to produce current ciphertext block

– can use feedback that is less than one full data block

– initialization vector used as “seed” for the process.


WPI EE579T/3 #48

CFB


WPI EE579T/3 #49

Additional DES Modes -2 (FIPS PUB 81)

• Output Feedback Mode (OFB)– similar to CFB mode except data XOR’d with

each plaintext block is generated independently of both the plaintext and ciphertext

– initialization vector s0 used as “seed” for a sequence of data blocks si

– each data block si derived from encryption of the previous data block si-1


WPI EE579T/3 #50

OFB


WPI EE579T/3 #51

Importance of DES

• Ubiquitous, U.S. federal standard

• When standardized, 56-bit made cipher computationally secure– This is no longer the case

– DES has been broken using brute force attacks in 56 hours, using recycled computer boards costing less than $250,000 (July 15, 1998)

• Immediate fix: Triple Data Encryption Algorithm (or Triple DES, 3DES)


WPI EE579T/3 #52

TDEA

Encryption

Decryption


WPI EE579T/3 #53

TDEA Realities

• Two keying options– Three separate keys (as shown previous slide)

– Two keys; EK1 = EK3

– Resultant key lengths of 168 or 112 bits• For mathematical reasons we won’t go into here, 3-

key TDEA is only about twice as secure as DES, not 3 times as secure

• Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps


WPI EE579T/3 #54

TDEA Advantages

• Thoroughly analyzed, unlikely to have any hidden vulnerabilities

• Much less vulnerable to brute force attack than DES

• Can be implemented in silicon, with very fast throughput


WPI EE579T/3 #55

TDEA Disadvantages

• Algorithm produces slow software implementations

• Limited to 64-bit block size

• Trebles the key distribution problem of DES


WPI EE579T/3 #56

AES: The Next Generation• Advanced Encryption Standard (FIPS PUB 197)

– Established to counter weaknesses of DES– Based on Rijndael algorithm

• Joan Daemen and Vincent Rijmen, Belgians, authors

– U. S. standard adopted Nov. 26, 2001– Becomes effective May 26, 2002– Key lengths of 128, 192, and 256 bits– Block size of 128 bits

• In AES, Rijndael allows for other sizes


WPI EE579T/3 #57

Rijndael Structure

• Rijndael is not a Feistel cipher; rather, it uses substitution boxes

• “...typically part of the bits of the intermediate state are simply transposed unchanged to another position”

• “...[each] round transformation is composed of three distinct invertible uniform transformations”


WPI EE579T/3 #58

AES’ Future

• Clearly intended to replace DES & TDEA• Designed for efficient software

implementation• Not yet as thoroughly analyzed as DES• Expect implementations on the market this

year• Probably a long coexistence of TDEA & AES


WPI EE579T/3 #59

Key Types

• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key

distribution, government communications, etc.

• Session– Valid only for current communications session– Destroyed after session terminates


WPI EE579T/3 #60

Key Distribution Problem

• Secret keys must be prepositioned at all locations before secure communications can occur.

• How to do this?– Secure physical transport– Secure electronic transport

• The search for a way to accomplish this led to the development of public key cryptography, which we will study next class


WPI EE579T/3 #61

Summary -1

• Symmetric key cryptography uses one key, shared by all users of the cipher

• There are many weaknesses to basic crypto algorithms like the Vernam cipher

• Feistel ciphers provide a more complex algorithm that permits iterative encryption

• Feistel cipher decryption uses same process as encryption, making process simpler


WPI EE579T/3 #62

Summary - 2

• Block ciphers are widely used• Most commonly used block cipher today is

TDEA, operating in one of 4 modes• TDEA is limited by 64-bit block and key

size, provides poor software implementation• AES chosen to replace TDEA• Should be several years of coexistence


WPI EE579T/3 #63

Homework

• Read Chapter 3 sections 3.3, 3.4, 3.6

• Do following exercises from text:– 2.1a,b– 2.4– 2.5– 2.7

ee579t/3 #1 spring 2002 © 2000-2002, richard a. stanley wpi ee579t / cs525t network security 3:...

Documents

stanley slide

stanley wpi security

stanley wpi network

ciphertext ciphertext

stanley wpi attacks

key slide

plaintext key

plaintext cryptanalysis