Microstrategy Course 4 October 2013 Applications Day 1: Symmetric Encryption David Evans University of Virginia www.cs.virginia.edu/evans
May 11, 2015
Microstrategy Course4 October 2013
Engineering Cryptographic Applications
Day 1: Symmetric Encryption
David EvansUniversity of Virginiawww.cs.virginia.edu/evans
Engineering Crypto Applications 2
Plan for the CourseToday: Symmetric Encryption– Introduction, a bit of History– Perfect Ciphers– Cryptanalysis of Imperfect Ciphers– Modern Symmetric Ciphers
Oct 11 (10:30am): Implementation, AuthenticationOct 18 (10:30am): Public-Key ProtocolsOct 25 (10:30am): New Applications
Engineering Crypto Applications 3
Goal of The Course?
Learn enough so you can design and implement crypto applications
Learn enough so you know how hard it is to get crypto right, and will not be foolish enough to try it based on a 8-hour course!
Engineering Crypto Applications 4
User Interaction Design
Every programmer thinks they can do it.
Obscenely over-paid consultants claim they can’t.
If you get it wrong, every customer notices (and leaves).
Cryptosystem Design
Every engineer with strong math background thinks they can do it.
Obscenely over-paid consultants claim they can’t.
If you get it wrong, probably no one notices.
Engineering Crypto Applications 5
“If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm.
Karsten Nohl, …, said the encryption hole allowed outsiders to obtain a SIM card’s digital key, …, which let him eavesdrop on a caller, make purchases through mobile payment systems and even impersonate the phone’s owner… as many as 750 million phones may be vulnerable to attacks… Mr. Nohl said. “We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”
Engineering Crypto Applications 6
Real Goals
• Know enough to avoid obviously bad crypto designs and implementation
• Know enough to be able to ask important questions about cryptosystems
• Know enough to know what you need to learn more about to build something secure
• …and hopefully fun and interesting for everyone!
Engineering Crypto Applications 8
What is cryptology?
• Greek: ´oκρυπτ ς = “kryptos” = hidden (secret)• Cryptography – secret writing• Cryptanalysis – analyzing (breaking) secrets
Cryptanalysis is what an attacker doesDecryption is what the intended receiver does
• Cryptosystems – systems that use secrets• Cryptology – science of secrets
Engineering Crypto Applications 9
Cryptology is a branch of mathematics: about abstract numbers and functions.
Security is an engineering goal: it involves mathematics, but is mostly about real implementations and people.
Engineering Crypto Applications 10
Introductions
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Eve(passive attacker)
Insecure Channel
Engineering Crypto Applications 11
Introductions
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Mallory(active attacker)
Insecure Channel (e.g., the Internet)
Engineering Crypto Applications 12
Message CryptosystemEncrypt
Decrypt
Plaintext Ciphertext
PlaintextCiphertext
Two functions: E(m: byte[]) byte[] and D(c: byte[]) byte[]
Correctness property: for all possible messages m, D(E(m)) = m
Security property: given c E(m), it is “hard” to learn anything interesting about m.
Engineering Crypto Applications 13
It is possible to state the security property precisely (and prove a cryptosystem satisfies it given hardness assumptions). This is the main thing Shafi Goldwasser and Silvio Micali did in the 1980s to win 2013 Turing Award.
Engineering Crypto Applications 14
Message CryptosystemEncrypt
Decrypt
Plaintext Ciphertext
PlaintextCiphertext
Two functions: E(m: byte[]) byte[] and D(c: byte[]) byte[]
Correctness property: for all possible messages m, D(E(m)) = m
Security property: given c E(m)), it is “hard” to learn anything interesting about m.
Engineering Crypto Applications 15
Kerckhoff’s Principle
Auguste Kerckhoffs
Engineering Crypto Applications 16
Algorithms Can Run, But They Can’t Hide
Car theft rate (by model year)Source: hldi.org
Mifare RFID
Engineering Crypto Applications 17
Inside the Mifare Chip
0.01 mm (10000 nm)0.01 mm (10000 nm)
Engineering Crypto Applications 19
Zooming in on the Logic…
rotated
rotated + mirrored
4 NAND: Y = !(A & B & C & D)
match match
Engineering Crypto Applications 20
Mifare Crypto-1
48-bit LFSR
f(∙)
RNG
Challenge Key stream
ID
+
Response
++
Engineering Crypto Applications 21
“The enemy knows the system being used.”
Claude Shannon, Communication Theory
of Secrecy Systems (1949)
Claude Shannon, 1916-2001
Engineering Crypto Applications 22
what I would have said last
month…
Security through obscurity is a bad idea – much better to use publicly vetted standards that have been scrutinized by experts and rely on key for security.
Engineering Crypto Applications 24
what I’d say today…
You’re probably still better off using well-vetted open standards. Just be wary of ones the NSA could influence.
Engineering Crypto Applications 25
(Keyed) Symmetric Cryptosystem
Encrypt DecryptPlaintextCiphertext
PlaintextInsecure Channel
Encrypt DecryptPlaintextCiphertext
PlaintextInsecure Channel
Key KeyOnly secret is the key,not the E and D functions that now take key as input
Asymmetric crypto:different keys for E and D, so you can reveal E without revealing D.
Engineering Crypto Applications 27
Jefferson’s Wheel Cipher• 26 wheels arranged in a secret
order on a spindle• Each wheel has a randomly
permutated alphabet around rim• Encrypt: turn wheels to display
plaintext, then pick a “random” row and that is the ciphertext
• Decrypt: arrange wheels in same (secret) order, line up ciphertext, look around wheel for plaintext
Engineering Crypto Applications 28
Who was the real cryptographer?
Auguste Kerckhoffs (1883)Thomas Jefferson (1790s)
Engineering Crypto Applications 29
on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike. now string them in their numerical order on an iron axis, one end of which has a head, and the other a nut and screw; the use of which is to hold them firm in any given position when you choose it.
Jefferson’s description of wheel cipher (1802)
Engineering Crypto Applications 30
Key SpaceKey space: K = set of possible keys
Key is order of wheels on spindle:|K | = 26 × 25 × … × 1 > 1026 Key is jumbling of letters on wheels:|K | = (26 × 25 × … × 1)26 > 10691
Brute force attack: try all keys until you find one that “works”
Engineering Crypto Applications 31
(Im)Practicality of Brute Force Attacks
Minimum energy needed to flip one bit (Landauer limit) ≈ kT ln 2 ≈ 2.8 zepto-Joules k ≈ 1.4 × 10-23 J/K (Boltzmann’s constant)T = temperature (Kelvin) (300K)
Engineering Crypto Applications 32
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 × 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!
(Jefferson+Kerkchoffs)1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
Engineering Crypto Applications 33
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 × 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!
(Jefferson+Kerkchoffs)1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
Engineering Crypto Applications 34
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 × 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!
(Jefferson+Kerkchoffs)1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
Engineering Crypto Applications 35
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 × 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!
(Jefferson+Kerkchoffs)1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
Engineering Crypto Applications 36
Bit Flips Energy WolframAlpha Description
240 (Mifare Crypto-1) 3 × 10-9 J “mass-energy equivalent of a Z
boson”
256 (DES) 2 × 10-3 J “acoustic energy in a whisper”
280 (“low security”) 3 × 103 J “metabolic energy of one gram of sugar”
26!
(Jefferson+Kerkchoffs)1 × 106 J “energy of one gram of gasoline”
2128 (AES minimum) 9 × 1017 J “twice energy consumption of
Norway in 1998”
2256 (AES maximum) 3 × 1056 J “1/120th mass energy equivalent
of galaxy’s visible mass”
This is the best (unrealistic) possible case for a brute force attack: don’t need to do anything other than represent key and physically most efficient bit flips.
But, assumes better than brute force attacks are not possible. All of these ciphers have weaknesses, and are much less secure than maximum security possible for that size key.
Engineering Crypto Applications 37
Can any cipher resist an infinitely powerful
brute-force attacker?
Engineering Crypto Applications 38
Claude Shannon, A Mathematical Theory of Cryptography, 1945 (declassified later)
Yes! Check out my perfect
cipher! (It’s the only one.)
Engineering Crypto Applications 39
Exclusive Or
0 0 = 00 1 = 11 0 = 11 1 = 0
InvertibleA B B = [email protected]
Engineering Crypto Applications 41
One-Time PadC[i] = M[i] K[i]
Pr(C[i] = 0) = Pr(M[i] = 0) × Pr(K[i] = 0) + Pr(M[i] = 1) × Pr(K[i] = 1)
= ½ Pr(M[i] = 0) + ½ Pr(M[i] = 1)= ½ Pr(M[i] = 0) + ½ Pr(M[i] = 0)= ½ Pr(M[i] = 0) + 1 − Pr(M[i] = 0) = ½ Perfect secrecy! Ciphertext reveals nothing about message.
Pr(K[i] = 0) = Pr(K[i] = 1) = ½
Engineering Crypto Applications 42
Vernam’s One-Time
Pad (1919)
Key: a long paper tape with random letters on it (5-bit code)
Cannot reuse key – tape must be very very [email protected]
Engineering Crypto Applications 43
Why perfectly secure?For any intercepted ciphertext, without knowing the key all plaintexts are equally possible.
C: 1000101 0110100 1010101 0011001K1: 0001000 1100111 0000001 1001011M1: 1001101 1010011 1010100 1010010
M S T R K2: 0001000 1100111 0010011 1001101M2: 1001101 1010011 1000110 1010100
M S F T
Engineering Crypto Applications 44
No Other Perfect Ciphers
M1M2
Mn
C1C2
Cn
Ki
......
KjTo be perfect, there must be a key that maps each message to each ciphertext.|K | ≥ |M |Hence, any practical
cipher must be imperfect!
(This is what Shannon proved in 1945 paper.)
Engineering Crypto Applications 46
Cryptanalysis
Alice Bob
Eve
Encrypt DecryptPlaintextCiphertext
Plaintext
Insecure Channel
Key Key
Cryptanalyze
Plaintext (or something useful)
Engineering Crypto Applications 48
The World in July 1941http://commons.wikimedia.org/wiki/File:Ww2_allied_axis_1941_jul.png
Bletchley Park
April 12, 2023 University of Virginia cs4414 49
21st October 1941
Dear Prime Minister,
Some weeks ago you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal.
A.M. Turing (+ 3 others)Winston Churchill
ACTIONTHIS DAY Alan Turing
Engineering Crypto Applications 50
HQIBPEXEZMUG!August 30, 1941 Lorenz operator retransmits failed message with same starting configuration
Gets lazy and uses some abbreviations, makes some mistakes
GCHQ Today(not what it looked like in 1941!)
SPRUCHNUMMER/SPRUCHNR (Serial Number)
Engineering Crypto Applications 51
“Two Time” Pad
Allies have intercepted:
C1 = M1 K1C2 = M2 K1
Engineering Crypto Applications 52
“Two Time” Pad
Allies have intercepted:
C1 = M1 K1C2 = M2 K1
C1 C2 = M1 K1 M2 K1
= M1 M2
Engineering Crypto Applications 53
“Cribs”
Don’t know M1 or M2, but, know they are in German and can make some guesses (cribs)
SPRUCHNUMMERADOLF HITLER, FUHRER
Given guess for M1, calculate M2 = C1 C2 M1
If M2 seems plausible, calculate key:
K1 = M1 C1
Engineering Crypto Applications 54
Reve
rse
Engi
neer
ing
Lore
nz
Found 4000 letter key K1 from intercepted C1 and
C2
Bill TutteU. Waterloo(1917-2002)
BrigadierJohn Tiltman(1894-1982)
Figured out machine design likely to produce K1
Engineering Crypto Applications 55
Main weakness: each step, either all S wheels turn, or none do!
Knew machine structure, but a different initial configuration was used for each message: need to find wheel settings (1019 possible) but weakness reduces to 41 × 31
K wheels, all rotate
every letter
M1 and M2 rotate
conditionally
Engineering Crypto Applications 56
Recognizing a Good Guess
Intercepted Message (divided into 5 channels for each Baudot code bit)zc, i = mc,i xc,i sc,i
Message Key (parts from S-wheels and rest)
Cryptanalyze: look for statistical propertiesHow many of the zc,i’s are 0?
How many of (zc,i+1 zc,i) are 0?
½ (not useful)½
Engineering Crypto Applications 57
Double DeltaCombine two channels:
Z1,i Z2,i = M1,i M2,i
X1,i X2,i
S1,i S2,i
= ½ (key)> ½ Yippee!
> ½ Yippee!
M1,i M2,i > ½ Message is in German, more likely following letter is a repetition than random
S1,i S2,i > ½ since S-wheels only turn when M-wheel is 1
Actual advantage ≈ 0.55
Engineering Crypto Applications 58
Using the Advantage
Try all configurations to find one(s) with highest numbers of 0s.
If the guess of X is incorrect: Pr( Z1,i Z2,I = 0) = ½
If the guess of X is correct: Pr( Z1,i Z2,I = 0) ≈ 0.55
# of double delta operations to try one guess= for 10,000 letter message
× 1271 settings × 7 per double delta = 89 M operations
Today: < 0.01s on my phone…but this was 1943
Engineering Crypto Applications 59
1943: Build the first (?) electronic, programmable computer: Colossus
Engineering Crypto Applications 60
Colossus Design
Electronic Keytext
Generator
Logic, =0 Tape Reader
Counter Position Counter
Printer
Ciphertext Tape
50 km/h(5000 chars/second)
Engineering Crypto Applications 61
Impact on WWII10 Colossus machines operated at BletchleyDecoded 63 million letters in Nazi messagesLearned German troop locations to plan D-Day
Engineering Crypto Applications 62
Modern Cryptanalysis
• Basically the same+ Bigger, faster computers – Less motivated, more bureaucratic government
• Know or reverse engineer cipher algorithm• Look for statistical weaknesses in ciphers to get
some small advantage: because all ciphers are imperfect, there must be some
• Reduce keyspace from brute-force search to smaller incremental search
Engineering Crypto Applications 64
Path to AES
• DES (Data Encryption Standard)– Developed at IBM in 1970s, selected as national
standard by NSA in 1977– 56-bit key
• By 1999: distributed.net can break DES key in 22 hours (today: < $10K to break a DES key)
• NIST selected AES (Advanced Encryption Standard) in 2001– Open, public process– Winner: Rijndael (developed by two Belgians)
Engineering Crypto Applications 65
Variable cost/strength:Key sizes: 128, 192, 256 bits
Block sizes: 128, 192, 256 bitsRounds: 10, 12, or 14
Special AES instructions in x86AES Round
Each round (10-14 rounds total):1. Byte substitution using non-
linear S-Box (lookup table)2. Shift rows (square)3. Mix columns – matrix
multiplication by polynomial4. XOR with round key
Engineering Crypto Applications 66
Most Common MistakeS-Boxes: x = S[b]S is a 256-byte table, b is an index into table.
Time this takes varies based on value of b and state of cache.
Keaton Mowery, Sriram Keelveedhi, and Hovav Shacham. Are AES x86 Cache Timing Attacks Still Feasible? (2012)
Engineering Crypto Applications 67
From Jeff Moser’s A Stick Figure Guide to the Advanced Encryption Standard (AES)
Engineering Crypto Applications 68
Can the NSA break AES?
• Most actual uses: probably yes– This is because of implementation flaws and user
mistakes• Correct implementation: probably not– Best openly known attacks:• Related key attacks (2009): 295 operations (but only
works in very rare circumstances)• Key recovery attack (2011): 2126 operations (to recover
128-bit key)
Engineering Crypto Applications 69
(Assumes most efficient computation physically possible and only bit flips for each operation.)
Engineering Crypto Applications 70
Engineering Crypto Applications 71
Summary
• Cryptography is an arms race between cryptographers and cryptanalysts
• In theory, the cryptanalysts should always win (all practical ciphers are imperfect)
• In our universe, computation requires energy which is limited, who wins depends on deep questions we can’t yet answer (e.g., P = NP)
• In practice, most cryptosystems fail because of bad implementations and humans not bad mathematics × 1 Trillion
Engineering Crypto Applications 72
Plan for Next WeekRandomnessUsing Symmetric CiphersAuthentication
what LinkedIn did wrongwhy biometrics can’t work
open to requests!