YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

1

Symmetric Key Crypto

Alfred C. WeaverTom Horton

CS453 Electronic Commerce

Page 2: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

2

Readings: Chapter 13 of Treese and Stewart textbook Web resources

Weaver’s References Bruce Schneier, “Applied Cryptography,” John

Wiley & Sons Andrew Tanenbaum, “Computer Networks,”

Prentice-Hall Jim Kurose and Keith Ross, “Computer

Networking,” Addison-Wesley

Page 3: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

3

Symmetric Key Encryption

PlaintextOriginalPlaintextEncryption DecryptionCiphertext

Encryption Key

Decryption Key

Page 4: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

4

Evaluating SKC

How do you break this strategy? What’s the risk?

Odd question for the moment: Is this the strategy we want for encrypting passwords for authentication?

Page 5: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

5

Answers

Question 1: How do you break this strategy? What’s the risk? Answer: Attack the key! Can you guess it? Find it?

Question 2: Is this the strategy we want for encrypting passwords for authentication? Answer: No. Use a one-way hash to convert plain-text to

cipher-text. Store cipher-text on system. At authentication, hash what the user types and compare two cipher-texts for match.

How to attack? Same as above.

Page 6: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

6

Topics

What are some major (historical) SKC algorithms? DES, Triple-DES, IDEA, RC4, AES How do they work? (Hmm.) Where do they stand? How do they fit into larger systems?

Page 7: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

7

Data Encryption Standard

Government requested white papers on proposed cryptographic standard in early 1970s

IBM responded with a clever design NSA approved (and changed) the design NBS (now NIST) certified the design in 1976

as Data Encryption Standard (DES) Recertified in 1987 and 1993 World’s most commonly used algorithm

Page 8: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

8

DES Iterated block cipher with 56-bit key

(although 64 are specified, 8 are parity) Iterated

multiple repetitions of basic algorithm DES uses 16 rounds

Block cipher encrypts fixed-size data groups DES uses 8-byte (64-bit) blocks data divided into 64-bit chunks

Key space 256 keys ~= 72 x 1015 possible keys

Page 9: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

9

DES

Uses a combination of confusion and diffusion every bit of the key (56 bits) and every bit of the plaintext

(64 bits) affects every bit of the ciphertext (64 bits) key is shifted and massaged each round to produce a

subkey plaintext is permuted, shifted, selected, and massaged

against a permuted, shifted, and selected subkey 16 times each 64-bit plaintext produces a 64-bit ciphertext

Page 10: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

10

DESPlaintext

Permutation

L0 R0

f

L1 = R0 R1 = L0 f (R0,K1)

L16 = R15 R16 = L15 f (R15,K16)

Permutation

Ciphertext

+

…..

oneround

K1

Page 11: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

11

DES

1. Plaintext enters as 64-bit block 2. Bits are permuted and divided into left-

hand side (L0) and right-hand side (R0) 3. Repeat 16 rounds of encryption:

(a) Key from previous round is divided into two 28-bit halves

(b) Each half of key is shifted and subjected to a compression permutation that selects 48 of the 56 bits for propagation into the next round

Page 12: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

12

DES

(c) Right-hand side Ri from previous round subjected to expansion permutation that increases 32 bits into 48 bits by selective repetition of certain bits

(d) Expanded, permuted right-hand side Ri is

exclusive-ORed with shifted, compressed key (e) Result goes through substitution box that

moves the bits around and expands 32 bits into 48 bits temporarily

Page 13: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

13

DES

(f) Temporary result goes through a permutation box that moves bits around and reduces 48 bits to 32 bits

(g) Left-hand side is exclusive-ORed with output of permutation box to produce a new right-hand side

(h) New left-hand side is copied from right-hand side of previous round

Page 14: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

14

DES

At the end of 16 rounds 64-bit result permuted once more Final 64-bit ciphertext emitted

Note: no security due to secrecy—the algorithm has been published and studied extensively since 1975

All the security is in the key

Page 15: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

15

DES Decryption

Use the ciphertext as the plaintext Use same initial key Run the algorithm backwards through 16

rounds, using subkeys in reverse order K16, K15, …, K1

DES outputs the plaintext Many companies now offer DES on a chip so

it runs at wire speed

Page 16: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

16

Page 17: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

17

DES Implementation

Java implementation of DES available at http://intercom.virginia.edu/crypto/crypto.html

Page 18: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

18

A Brief IBM / NSA History

IBM needed crypto for ATM Idea began as Lucifer with 128-bit key IBM needed an export license NSA agreed to vet the algorithm NSA probably changed the S-boxes NSA told IBM to reduce the key size IBM agreed to 64 bits Production reduced it to 56 bits plus parity IBM got its export license

Page 19: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

19

Security of DES

DES started in 1976 It was secure then – but not now Jan. 1997: RSA Data Security issued a

cryptographic challenge Research project DESCHALL used distributed

computing (14,000 unique computers over 3 months) to crack DES with 56-bit key

http://www.interhack.net/projects/deschall/

At its peak, DESCHALL was testing 7 billion keys/second

Page 20: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

20

Security of DES

July 1998: DES Challenge II Electronic Frontier Foundation (EFF) built a DES

code-cracker for $250k Cracked DES in 3 days Jan. 1999: DES Challenge III Distributed.Net used EFF DES cracker plus

100,000 PCs on the Internet to crack DES in 22 hours 15 min.

Testing 245 billion keys/sec when key was found

Page 21: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

21

Security of DES

Reported in late 90s that DES could be cracked “in a few hours” (presumably by NSA)

Reasonable to assume that DES can now be cracked very quickly with special hardware and/or a distributed approach

Page 22: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

22

Weak Keys

Some 56-bit keys are known to be weak 0000000 0000000 0000000 FFFFFFF FFFFFFF 0000000 FFFFFFF FFFFFFF

Repeating bits do not “stir” well when shifted Also some “possibly weak” keys, but these

are identified in the literature so don’t use them

Page 23: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

23

Triple-DES

Triple-DES invented to boost security Uses three separate encryption and

decryption cycles with two or three unique keys

Two unique keys gives 2x56=112 bit protection

Three unique keys gives 3x56=168 bit protection

Page 24: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

24

Triple-DES

DES

Plaintext Ciphertext

DES

DES-1 DES-

1

DES

Key-1 Key-2 Key-3

DES-1

Page 25: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

25

Triple-DES with Three Unique Keys

Sender: Encrypt with Key-1 Decrypt with Key-2 (decryption has same

scrambling power as encryption) Encrypt with Key-3

Receiver: Decrypt with Key-3 Encrypt with Key-2 Decrypt with Key-1

Power: 56x3=168 bit key

Page 26: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

26

Triple-DES with Two Unique Keys

Sender: Encrypt with Key-1 Decrypt with Key-2 Encrypt with Key-1 again

Receiver: Decrypt with Key-1 Encrypt with Key-2 Decrypt with Key-1

Power: 56x2=112 bit key

Page 27: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

27

Triple-DES with One Unique Key

Sender: Encrypt with Key-1 Decrypt with Key-1 Encrypt with Key-1

Receiver: Decrypt with Key-1 Encrypt with Key-1 Decrypt with Key-1

Power: 56 bit key (exactly equal to DES)

Page 28: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

28

Triple-DES Why use three unique keys instead of one?

that’s easy! power of 168-bit key vs. 56-bit key many, many, many orders of magnitude harder to crack than DES

Why use two keys instead of one? power of 112-bit key vs. 56-bit key many orders of magnitude harder to crack than DES two keys (112 bits) easier to manage than three (doubtful) 112-bit key is fairly secure today

Why use one key instead of two or three? setting key1=key2=key3 makes 3DES interoperate with DES of course the power is just one 56-bit key only use would be for backward compatibility

Page 29: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

29

Security of DES and Triple-DES

Is DES suitable for commercial transactions? today the answer is no nevertheless it is in daily, wide-spread use

Triple-DES very robust, very well suited to commercial activities

Page 30: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

30

IDEA

International Data Encryption Algorithm proposed 1992 symmetric-key, 128 bits 64-bit blocks similar in design, but different in detail, from DES

Page 31: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

31

IDEA

Design philosophy is “mixing operations from three algebraic groups” XOR Addition modulo 216

Multiplication modulo 216 + 1 (substitutes for DES S-box)

About twice as fast as DES Used in PGP Very strong symmetric key encryption

algorithm

Page 32: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

32

AES

NIST held a competition to replace DES Five serious entries, including 3DES Winner was Rijndael (pronounced “Rhine-

doll”) from two co-inventors in Belgium AES is a 128-, 192-, or 256-bit block cipher Uses 128, 192, or 256 bit symmetric keys AES uses an affine transformation with a

non-linear substitution box

Page 33: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

33

AES

3.4 x 1038 128-bit keys 6.2 x 1057 192-bit keys 1.1 x 1077 256-bit keys Compare those to DES’s 56-bit key with 7.2 x 1016

keys Assume you could crack DES (i.e., full search of a

56-bit key space) in one second Then cracking AES with a 128-bit key would take

149 trillion years The universe is ~14 billion years old

Page 34: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

34

AES

AES is the way of the future Threats:

backdoor? (probably not) massive distributed computation quantum computing something we've not thought of

Page 35: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

35

Others

RC4 Developed by Ron Rivest Will pop up in discussions of RSA, SSL

Blowfish Developed by Bruce Schneier Free, fast Variable length key

Page 36: 1 Symmetric Key Crypto Alfred C. Weaver Tom Horton CS453 Electronic Commerce.

36

Summary and What’s Next

A set of historical algorithms Culminating in AES DES illustrates some of the controversies and

social issues inherent in cryptography PGP too

Weakness Keys must be shared

An alternative Public Key Encryption, possibly combined with

SKC


Related Documents