FORESEC Academy ENCRYPTION 102 FORESEC Academy Security Essentials (IV)
Feb 25, 2016
FORESEC Academy
ENCRYPTION 102FORESEC Academy Security Essentials (IV)
FORESEC Academy
Why do I Care about Crypto?
FORESEC Academy
Concepts in Cryptography
FORESEC Academy
Concepts in Cryptography (2)
Tractable Problems
Intractable Problems
“Easy” problems. Can be solved in polynomial time (i.e., “quickly”) for certain inputs
Examples :• constant problems• linear problems• quadratic problems• cubic problems
“Hard” problems. Cannot be solved in polynomial time (i.e., “quickly”)
Examples :• exponential or super-polynomial problems• factoring large integers into primes (RSA)• solving the discrete logarithm problem(ElGamal)• computing elliptic curves in a finite field (ECC)
Computational Complexity deals with time and space requirements for the execution of algorithms.Problems can be classified astractable or intractable.
FORESEC Academy
Concepts in Cryptography (3)
An Example of an Intractable Problem...
Difficulty of factoring a large integer into its two
prime factors
A “hard” problem Years of intense public scrutiny
suggest intractability No mathematical proof so far
Example: RSA• based on difficulty of factoring a large integer into its prime factors• ~1000 times slower than DES • considered “secure”• de facto standard• patent expired in 2000
FORESEC Academy
Concepts in Cryptography (4)
A “hard” problem Years of intense public scrutiny
suggest intractability No mathematical proof so far The discrete logarithm problem
is as difficult as the problem offactoring a large integer into itsprime factors
Another Intractable Problem…Difficulty of solving the discrete logarithm problem --for finite fields
Examples• El Gamal encryption and signature schemes• Diffie-Hellman key agreement scheme• Schnorr signature scheme• NIST.s Digital Signature Algorithm (DSA)
FORESEC Academy
Concepts in Cryptography (5)
A “hard” Problem Years of intense public scrutiny
suggest intractability No mathematical proof so far In general, elliptic curve
cryptosystems (ECC) offerhigher speed, lower powerconsumption, and tighter code
Yet Another Intractable Problem...Difficulty of solving the discrete logarithm problem--as applied to elliptic curves Examples
• Elliptic curve El Gamal encryption and signatureschemes Elliptic curve Diffie-Hellmankey agreement scheme Schnorr signature scheme• NIST.s Digital Signature Algorithm (DSA)
FORESEC Academy
Voila! We Can Now Build...
FORESEC Academy
DES: Data Encryption Standard
Released March 17, 1975 Rather fast encryption algorithm Widely used; a de facto standard Symmetric-key, 64-bit block cipher 56-bit key size ! Small 256 keyspace Today, DES is not considered secure
FORESEC Academy
DES Weaknesses
DES is considered non-secure for very sensitive encryption. It is crackable in a short period of time.
See the Cracking DES book by O’Reilly. Multiple encryptions and key size will increase
the security. Double DES is vulnerable to the meet-in-the-
middle attack and only has an effective keylength of 57 bits.
Triple DES is preferred.
FORESEC Academy
DES
In 1992 it was proven that DES is not agroup. This means that multiple DESencryptions are not equivalent to asingle encryption. THIS IS A GOODTHING.
If something is a group then- E(K2,E(K,M)) = E(K3,M)
Since DES is not a group, multipleencryptions will increase the security.
FORESEC Academy
Meet-in-the-middle Attack
FORESEC Academy
Triple DES
USAGE VULNERABILITIESSupported in latest releases of Web clients, such as Microsoft Internet Explorer & Netscape Communicator
Prefer Triple DES over DES(which is . officially . No longer considered to be secure)
Cracking Triple DES means examining all possible pairs of crypto-variables (a task considered to be beyond today’s technology)
So far, there have been no public reports claiming to have cracked Triple DES...
FORESEC Academy
Triple DES (2)
FORESEC Academy
AES
THE FIVE “AES” FINALISTS ! MARS IBM RC6tm RSA Laboratories Rijndael Joan Daemen, Vincent Rijmen Serpent Ross Anderson, Eli Biham, Lars Knudsen Twofish Bruce Schneier, John Kelsey, Doug Whiting,
David Wagner, Chris Hall, Niels Ferguson Significance
Developing “good” cryptographic algorithms that can be trusted is
hard. The only practical way to develop such algorithms is toperform the development process in an open manner, and underintense public scrutiny of the global cryptographic community.Can you think of a recent example in which this was not followed?
• Advanced Encryption Standard• AES is a new encryption algorithm(s) that is being designed to be effective well into the 21st century
Countdownto AES !• 1/2/1997, the quest for AES begins...• 8/9/1999, five finalist algorithms announced• Announced winner – Rijndeal• 12/26/2001 – AES approved!
FORESEC Academy
AES Algorithm