secret key: stream ciphers & block ciphersalberto/didattica/cns-slides/secret-key_2.pdf ·...
TRANSCRIPT
Secret Key: stream ciphers & block ciphers
Stream CiphersIdea: try to simulate one-time pad• define a secret key (“seed”)• Using the seed generates a byte stream
(Keystream): i-th byte is function– only of the key (synchronous Stream cypher)
or– Of the key and first i-1 bytes of ciphertext
(asynchronous Stream cypher).• obtain ciphertext by using XOR of
textplain and keystream (bi-wise)
=
⊕
Synchronous Stream Cipher
Key
Ciphertext
Stream
Plaintext
encryption
Synchronous Stream Cipher
=
⊕
Key
Plaintext
Stream
Ciphertext
decryption
Cipher Streams in practice
• Many codes before 1940• Enigma - II world war (Germany)• A5 – GSM (encryption cell phone-
base station)• WEP - used in ethernet 802.11
(wireless)• RC-4 (Ron’s Code)
Example: RC-4
• RC: code proposed by Ron (Ron’s Code,Ron=Ronald Rivest)
• Considered safe: 1987 - 1994 kept secret,after ‘94 extensively studied
• Good for exporting (complain USrestrictions)
• Easy to program, fast• Very popular: Lotus Notes, SSL, Wep etc.
RC4: properties
• variable key lenght (byte)• synchronous• starting from the key it generates aapparently random permutation:
•Eventually the sequence will repeat•However long period > 10100 [in this way itsimulates one-time-pad]
• very fast: 1 byte of output requires 8-16instruction
RC-4 initialization1. j=02. S0=0, S1=1, …, S255=2553. Assume a key of 255 (bytes) k0,…,k255 (if the
key is shorter repeat)4. For i=0 to 255
j = (j + Si+ ki) mod 256exchange Si and Sj
In this way we obtain a permutation of 0, 1,…,255, the resulting permutation is afunction of the key
RC-4 Key-stream generation
Input: i,j, permutation of 0,1,…2551. i = (i+1) mod 2562. j = (j +Si) mod 2563. exchange Si and Sj
4. t = (Si + Sj) mod 2565. B = St
Output: BRecall: ciphertext EXOR of 1 byte of
plaintext and 1 byte of ciphertext
Real World Block Ciphers
• DES, 3-DES - (64 bit block, 56 bit key)• AES (Rijndael) (128-256 block)• RC-2• RC-5• IDEA ((64 bit block, 128 bit key)• Blowfish, Cast• Gost
ECB Mode Encryption(Electronic Code Book)
P1
Ek
C1
P2
Ek
C2
P3
Ek
C3
encrypt each plaintext block separately
Properties of ECB
• Simple and efficient• Parallel implementation possible• Does not conceal plaintext patterns• Active attacks are possible (plaintext can be easily manipulated by removing, repeating, or interchanging blocks).
ECB: plaintext repetitionsplaintext ciphertext ECB good cyphertext
CBC (Cipher Block Chaining) mode
m1
Ek
C1
m2
Ek
C2
m3
Ek
C3
seed
Previous ciphertext is XORed with current plaintextbefore encrypting current block.• Seed is used to start the process; it can be sent without encryption• Seed =0 safe in most but NOT all cases (eg assume the file withsalaries is sent once a month, with the same seed we can detectchanges in the salaries) therefore a random seed is better
CBC (Cipher Block Chaining): decryption
m1
Dk
C1
m2
Dk
C2
m3
Dk
C3
seed
ProblemIF a transmission error changes one bit of C(i-1) -THEN block mi changes in a predicatble wayBUT there are unpredictable changes in m (i-1);Solution: always use error detecting codes (for example CRC) to checkquality of transmissione
Properties of CBC
• Asynchronous stream cipher• Errors in one ciphertext block propagate• Conceals plaintext patterns• No parallel implementation known• Plaintext cannot be easily manipulated.• Standard in most systems: SSL, IPSec
etc.
OFB Mode(Output FeedBack)
An initialization vector s0 is use as a``seed'’ for a sequence of data blocks si
s0= seed
OFB modeDiscussion• If f is public (known to the adversary) then initial seed s0
must be encrypted (why?)• If f is a cryptographic funnction that depends on a secret
key then initial sees can be sent in the clear (why?)• Initial seed must be modified for EVERY new message -
even if is protected and unknown to the adversary (in factif the adv knows a pair message, initial seed then he canencode every message - why?)
• Extension: it can be modified in such a way that only k bitsare used to compute the ciphertext (k-OFB)
Properties of OFB
• Synchronous stream cipher• Errors in ciphertext do not propagate• Pre-processing is possible• Conceals plaintext patterns• No parallel implementation known• Active attacks by manipulating plaintext
are possible
CTR (Counter Mode)
seed
Ek
C1
seed +1
Ek
C2
seed +2
Ek
C3
Similar to OFB•There are problems in repeated use of same seed (like OFB)•CTR vs OFB: using CTR you can decrypt the message starting fromblock i for any i (i.e. You do not need to decrypt from the first blockas in OFB)
m1 m2 m3
AES Proposed Modes
• CTR (Counter) mode (OFB modification):Parallel implementation, offline pre-processing, provable security, simple andefficient
• OCB (Offset Codebook) mode - parallelimplementation, offline preprocessing,provable security (under specificassumptions), authenticity
Strengthening a GivenCipher
• Design multiple key lengths – AES• Whitening - the DESX idea• Iterated ciphers – Triple DES (3-
DES), triple IDEA and so on
Triple Cipher - DiagramP
Ek1
C
Ek2
Ek3
Iterated Ciphers
• Plaintext undergoes encryption repeatedlyby underlying cipher
• Ideally, each stage uses a different key• In practice triple cipher is usually
C= Ek1(Ek2(Ek1(P))) [EEE mode] orC= Ek1(Dk2(Ek1(P))) [EDE mode]EDE is more common in practice
Two or Three Keys
• Sometimes only two keys are used in 3-DES• Identical key must be at beginning and end• Legal advantage (export license) due to
smaller overall key size• Used as a KEK in the BPI protocol which
secures the DOCSIS cable modemstandard
Adverary’s goal
• Final goal: find the secret key• Partial goals:
– Reduee the no of possible keys– Detect patterns in the text– Decode part of the text– Modify the cipertext obtaining a plausible text
(even without breaking the cipher; evenwithout knowing which modifications)
Repeated coding
• To increase the robustness performmultiple encryption. How many times?2,3, 678?
• In practice triple cipherC= Ek1(Ek2(Ek1(P))) [EEE mode ] orC= Ek1(Dk2(Ek1(P))) [EDE mode]EDE more used
Double DES: man in the middleattack
Cipher twice with two different keys? NOMan in th emiddle attack. Requirements
– Known plaintext and ciphertext– 2k+1 encryption and decryption (2 keys of k bit)– |k|2|k| memory space– Idea: try all possible encryptions of the plaintext and all
possible decryption of the ciphertext. Check for a pairof keys that transform the palintext in the ciphertext.
– Note: the method can be applied to all block codes
Triple encodingP
Ek1
C
Ek2
Ek3
Triple encoding and CBCM1
Ek1
Ek2
M2
Ek1
C1
Mn
Ek1
0000000
... . . . .....
Ek3
Ek2
C2
Ek3
In the picture: External CBC: code (using triple encoding) eachblock ; then concatenate
Other possibility: Internal CBC (the concatenation depends onthe level of encoding)
Group and Fields
AESAdvanced Encryption Standard
Review - Groups
Def (group): A set G with a binary operation +(addition) is called a commutative group if
1 ∀ a,b∈G, a+b∈G2 ∀ a,b,c∈G, (a+b)+c=a+(b+c)3 ∀ a,b∈G, a+b=b+a4 ∃ 0∈G, ∀ a∈G, a+0=a5 ∀ a∈G, ∃ -a∈G, a+(-a)=0
+,0, and -aare only notations!
Sub-groups
• Let (G, +) be a group, (H,+) is a sub-groupof (G,+) if it is a group, and H⊆G.
• Claim: Let (G, +) be a finite group, and H⊆G. If H is closed under +, then (H,+) is asub-group of (G,+).
• Examples• Lagrange theorem: if G is finite and (H,+)
is a sub-group of (G,+) then |H| divides |G|
Order of Elements
• Let an denote a+…+a (n times)• We say that a is of order n if an = 0, and
for any m<n, am≠0• Examples• Euler theorem: In the multiplicative group
of Zm, every element is of order at most φ(m).
Cyclic Groups• Claim: let G be a group and a be an
element of order n. The set <a>={1, a,…,an-1} is a sub-group of G.• a is called the generator of <a>.• If G is generated by a, then G is
called cyclic, and a is called aprimitive element of G.
• Theorem: for any prime p, themultiplicative group of Zp is cyclic
GroupZ set of integers (positive and negative) ;Zn integer modulo n (0,,2,3,…,n-1); Z*n =(1,2,3,…,n-1);- Z and addition (0 identity; -a inverse of a) is a group- Zn and addition addizione is a group (0 identity; -a inverse of a)- Zn and multiplication is NOT a group (inverse exist only for 1 and -1)- Set of rational numbers and multiplication is a group- Z*n [a mod n] and multiplication IS NOT ALWAYS a group
- n=6 then {1,2,3,4,5} is not close (2*3= 0 mod 6)- n prime then it is a group
- Zn* [a mod n] and multiplication if MCD(a,n) = 1 is a group ( 1 is identity- And if as + nt = 1 mod n then s is inverse of a
- n =15 then {1,2,4,7,8,11,13,14}- n=5 {1,2,3,4} (in fact all numbers are prim ewith 5)
Review - RingsDef (ring): A set F with two binaryoperations + (addition) and · (multiplication) is called a commutative ring with identity if
6 ∀ a,b∈F, a·b∈F7 ∀ a,b,c∈F, (a·b)·c=a·(b·c)8 ∀ a,b∈F, a·b=b·a9 ∃ 1∈F, ∀ a∈F, a·1=a10 ∀ a,b,c∈F,a·(b+c)=a·b+a·c
1 ∀ a,b∈F, a+b∈F2 ∀ a,b,c∈F, (a+b)+c=a+(b+c)3 ∀ a,b∈F, a+b=b+a4 ∃ 0∈F, ∀ a∈F, a+0=a5 ∀ a∈F, ∃ -a∈F, a+(-a)=0
+,·,0, 1 and-a are only notations!
Review - FieldsDef (field): A set F with two binaryoperations + (addition) and · (multiplication) is called a field if
6 ∀ a,b∈F, a·b∈F7 ∀ a,b,c∈F, (a·b)·c=a·(b·c)8 ∀ a,b∈F, a·b=b·a9 ∃ 1∈F, ∀ a∈F, a·1=a10 ∀ a,b,c∈F,a·(b+c)=a·b+a·c
1 ∀ a,b∈F, a+b∈F2 ∀ a,b,c∈F, (a+b)+c=a+(b+c)3 ∀ a,b∈F, a+b=b+a4 ∃ 0∈F, ∀ a∈F, a+0=a5 ∀ a∈F, ∃ -a∈F, a+(-a)=0
11 ∀ a≠0∈F, ∃ a-1∈F, a·a-1=1
+,·,0, 1,-a and a-1 are
only notations!
Review - Fields
A field is a commutative ring with identity where eachnon-zero element has a multiplicative inverse
∀ a≠0∈F, ∃ a-1∈F, a·a-1=1
Equivalently, (F,+) is a commutative (additive) group,and (F \ {0}, ·) is a commutative (multiplicative) group.
ExamplesZn with addition and multiplication is a ring but not always a field• n=15 NO ( {1,2,3,4,….,15} is not a group with resepct ot
multiplication)• n=5 Yes ( {1,2,3,4} is a gropu w.r.t. multiplication)
Polynomials over Fields
Let f(x)= an·xn + an-1·xn-1 + an-2·xn-2 + … + a1·x + a0be a polynomial of degree n in one variable x over a fieldF (namely an, an-1,…, a1, a0 ∈ F).
Theorem: The equation f(x)=0 has at most n solutions in F.
Remark: The theorem does not hold over rings with identity. For example, in Z24 the equation 6·x = 0 has six solutions (0,4,8,12,16,20).
Polynomial RemaindersLet f(x)= an·xn + an-1·xn-1 + an-2·xn-2 + … + a1·x + a0
g(x)= bm·xm + bm-1·xm-1 + bm-2·xm-2 + … + b1·x + b0be two polynomials over F such that m < n (or m=n).
Theorem: There is a unique polynomial r(x) of degree < mover F such that f(x) = h(x) · g(x) + r(x).
Remark: r(x) is called the remainder of f(x) modulo g(x).
Finite FieldsDef (finite field): A field (F,+,·) is called a finite field if the
set F is finite.
Example: Zp denotes {0,1,...,p-1}. We define + and · as additionand multiplication modulo p, respectively.
One can prove that (Zp,+,·) is a field iff p is prime.
Q.: Are there any finite fields except (Zp,+,·) ?
Galois Fields GF(pk)
Évariste Galois (1811-1832)
Theorem: For every prime power pk (k=1,2,…) there is aunique finite field containing pk elements. These fields aredenoted by GF(pk).There are no finite fields with other cardinalities.
Polynomials over Finite FieldsPolynomial equations and factorizations in finitefields can be different than over the rationals.
Examples from an XMAPLE session:
Irreducible PolynomialsA polynomial is irreducible in GF(p) if it does not factor overGF(p). Otherwise it is reducible.
Examples:
The same polynomial is reducible in Z5 but irreducible in Z2.
Implementing GF(p^k) arithmetic
Theorem: Let f(x) be an irreducible polynomialof degree k over Zp.
The finite field GF(pk) can be realized as the set
of degree k-1 polynomials over Zp, with additionand multiplication done modulo f(x).
Example: Implementing GF(2^k)
By the theorem the finite field GF(25) can be realized as
the set of degree 4 polynomials over Z2, with additionand multiplication done modulo the irreducible polynomialf(x)=x5+x4+x3+x+1.
The coefficients of polynomials over Z2 are 0 or 1.So a degree k polynomial can be written down by k+1 bits.For example, with k=4:
x3+x+1 (0,1,0,1,1)
x4+ x3+x+1 (1,1,0,1,1)
Implementing GF(2^k)
Addition: bit-wise XOR (since 1+1=0)
x3+x+1 (0,1,0,1,1) + x4+ x3+x (1,1,0,1,0)------------------------------- x4 +1 (1,0,0,0,1)
Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x):
Implementing GF(2^k)
For small size finite field, a lookup table is the most efficientmethod for implementing multiplication.
(1,1,0,1,1) *(0,1,0,1,1)
= (1,1,0,0,1)
Implementing GF(25) in XMAPLE
Irreducible polynomial
More GF(25) Operations in XMAPLEAddition: b+c
test primitive element
e <--inverse of a Multiplication: a*e
Loop forfinding primitiveelements
Back to Symmetric BlockCiphers
out in
DES AES
Historic NoteDES (data encryption standard) is a symmetric block cipherusing 64 bit blocks and a 56 bit key.
Developed at IBM, approved by the US goverment (1976)as a standard. Size of key (56 bits) was apparently small enough to allow the NSA (US national security agency) tobreak it exhaustively even back in 70’s.
In the 90’s it became clear that DES is too weak for contemporary hardware & algorithmics. (Best attack, Matsui“linear attack”, requires only 243 known plaintext/ciphertextpairs.)
Historic Note (cont.)The US government NIST (national inst. of standards and technology) announced a call for an advanced encryption standard in 1997.
This was an international open competition.Overall, 15 proposals were made and evaluated, and 6 were finalists. Out of those, a proposal namedRijndael, by Daemen and Rijmen (two Belgians) was chosen in February 2001.
AES - Advanced Encryption Standard
• Symmetric block cipher• Key lengthes: 128, 192, or 256 bits• Approved US standard (2001)
AES Design Rationale
• Resistance to all known attacks.
• Speed and code compactness.
• Simplicity.
AES Specifications• Input & output block length: 128 bits.
• State: 128 bits, arranged in a 4-by-4 matrix of bytes.
A3,3A3,2A3,1A3,0
A2,3A2,2A2,1A2,0
A1,3A1,2A1,1A1,0
A0,3A0,2A0,1A0,0 Each byte is viewedas an element in GF(28)
Input/Output: A0,0, A1,0, A2,0, A3,0, A0,1,…
AES Specifications• Key length: 128, 196, 256 bits.
Cipher Key Layout: n = 128, 196, 256 bits, arranged in a 4-by-n/32 matrix of bytes.
K3,3
K2,3
K1,3
K0,3
K3,4
K2,4
K1,4
K0,4
K3,5K3,2K3,1K3,0
K2,5K2,2K2,1K2,0
K1,5K1,2K1,1K1,0
K0,5K0,2K0,1K0,0
Initial layout: K0,0, K1,0, K2,0, K3,0, K0,1,…
AES Specifications
• High level code:• AES(State,Key)
– KeyExpansion(Key,ExpandKey)– AddRoundKey(State,ExpandKey[0])– For (i=1; i<R; i++)
Round(State,ExpandKey[i]);– FinalRound(State,ExpandKey[R]);
Encryption: Carried out in rounds
input block (128 bits)
output block (128 bits)
Secret key (128 bits)
Rounds in AES128 bits AES uses 10 rounds, no shortcutsknown for 6 rounds• The secret key is expanded from 128 bits to 10 round keys, 128 bits each.• Each round changes the state, then XORS the round key. (For longer keys, addOne round for every extra 32 bits)
Each rounds complicates things a little. Overall it seems infeasible to invert without the secret key (but easy given the key).
AES Specifications: One Round
A3,3A3,2A3,1A3,0
A2,3A2,2A2,1A2,0
A1,3A1,2A1,1A1,0
A0,3A0,2A0,1A0,0
Transform the state by applying:
1. Substitution.2. Shift rows3. Mix columns
4. XOR round key
Substitution operates on every Byteseparately: Ai,j <-- Ai,j
-1 (multiplicative inverse in GF(28)which is highly non linear.)
Substitution (S-Box)
If Ai,j =0, don’t change Ai,j .
Clearly, the substitution is invertible.
Cyclic Shift of Rows
A3,0A3,3A3,2A3,1
A2,1A2,0A2,3A2,2
A1,2A1,1A1,0A1,3
A0,3A0,2A0,1A0,0 no shift shift 1 position shift 2 positions shift 3 positions
Clearly, the shift is invertible.
Mixing Columns Every state column is considered as a Polynomial over GF(28)
Multiply with an invertible polynomial03 x3 + 01x2 + 01x + 02 (mod x4 + 1)Inv = 0B x3 + 0D x2 +09 x + 0E
Round: Subbytes(State) ShiftRows(State) MixColumns(State) AddRoundKey(State,ExpandedKey[i])
Key Expansion
• Generate a “different key” per round• Need a 4 x 4 matrix of values (over
GF(28)) per round• Based upon a non-linear transformation of
the original key.• Details available:• The Design of Rijndael, Joan Daemen and
Vincent Rijmen, Springer
Breaking AESBreaking 1 or 2 rounds is easy.
It is not known how to break 5 rounds.
Breaking the full 10 rounds AES efficiently (say 1 year on existing hardware, or in less than 2128 operations) is considered impossible ! (a good, tough challenge…)
Exercises1. Evaluate error propagation in CBC e OFB:
• Show how an adevrsary can modify a block as he/sheprefers assuming that the remaining part of themessage is modified
• Discuss the security of this and techniques foravoiding such attacks
2. CBC and OFB use and initial seed that must be known toboth the sender and the receiver• Assume that the initial seed is sent in the clear (so
it is known to the adversary). Show how theadversary is able to modify part of the messahe.Conclusion: either the initial seed is fixed inadvance or it muts be encypted and sent before thmessage
• Break OFB if you use the same key and the sameinitial seed mote than once