© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 1
Cryptography Foundations
Symmetric cryptography (conventional encryption)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 2
Outline
• Symmetric cryptography – Symmetric encryption algorithms
• Attacks: brute-force vs. cryptanalysis – Cipher block modes of operation – Padding – Encryption devices: location and management – Key-distribution with symmetric cryptography
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 3
Outline
• Symmetric cryptography – Symmetric encryption algorithms
• Attacks: Brute Force vs. Cryptanalysis – Cipher block modes of operation – Padding – Encryption devices: location and management – Key-distribution with symmetric cryptography
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 4
Symmetric cyphers • Block-Oriented (or block ciphers)
– Used with different block modes of operation • Byte-oriented modes vs. N-bytes-block-oriented modes
– Blocks with fixed size – Key sizes and block sized defined (fixed) for each
algorithm (you must know it)
• Stream-oriented (or stream ciphers) – byte-stream-oriented or bit-stream-oriented operation – Variable key-sizes (algorithm dependent) – Fast to operate on stream-oriented inputs (bytes, bits)
• Ex., real-time, iterative-traffic or low-latency communication requirements
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 5
Characterized by: – Block size (larger means greater security) – Key size (larger means greater security) – Round transformation function (greater complexity
means more resistance) – Number of rounds (multiple rounds increase security)
• Type of operations in a round function – Substitutions (Sboxes) – Transpositions by permutations with possible block
expansion or block reduction (Pboxes), rotations (rotation tables)
– Boolean operations (XOR) – Sub-key generation in each round (from the input key) – Algebraic operations (modular arithmetics, matrix
-operations, operations in GF2, etc.)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 6
• Security – Remember the robustness and assessment criteria (brute
-force, test-analysis, cryptanalysis, …. previous classes) – Requires complexity (complex transformations in each round),
large number of rounds, large keysize, large blocks • Fast operation (performance)
– Speed of the algorithm is a concern – Simplicity (ex., HW implementations and embedded solutions,
fast computation, low computational cost, energy-savings, … • Ease of analysis
– Simplicity in the internal reference structure – “analyzable”: formalisms and mathematical foundations
• The interesting algorithms must balance these tradeoffs, maximizing each criteria
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 7
Horst Feistel, IBM, 1973
Base structure for many symmetric algorithms (ex., DES)
Decryption implemented as Encryption (input: ciphertext, and use of sub-keys in the reverse order)
In each round: Li = Ri-1 Ri = Li-1 xor F(Ri-1, Ki)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 8
Symmetric block cyphers: AES, DES
Figures in AES:
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 9
Performance of algorithms
Comparisons in Java (standard JDK and Sun Crypto-Provider) http://www.javamex.com/tutorials/cryptography/ciphers.shtml http://www.javamex.com/tutorials/cryptography/hash_functions_algorithms.shtml
See also: Openssl speed benchmark (speed test library performance) http://wikis.sun.com/display/CryptoPerf/UltraSPARC+cryptographic+performance
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 10
• Data Encryption Standard (DES) – The most widely used encryption scheme, until 2000 – The algorithm is reffered to the Data Encryption
Algorithm (DEA) – DES is a block cipher
• The plaintext is processed in 64-bit blocks • The key is 56-bits in length
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 11
Base: Feistel structure: The overall processing at each iteration (round):
Li = Ri-1 Ri = Li-1 F(Ri-1, Ki)
• Security concerns about: >The algorithm and the key length (56-bits) > Weak, semi-weak or potentially weak keys > 1998, EFF, DES cracker machine (3 days) > 10 hours (machine Doing 10^6 decryptions/microsec
DES Algorithm
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 12
Initial and final permutations
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 13 Henric Johnson 13
16 Rounds Sub-Key Generation
For each roud
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 14
Expansion/Permutation (EP box) and Pbox
In: 32 bits
Out: 48 bits
EP Box
Pbox
In: 32 bits
Out: 32 bits
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 15
Substitution Boxes (for 16 rounds)
Ex: 011101
0011
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 16
S boxes (S1 to S4)
Note: values in each sBOX: 0 to 15 (0000 a 1111) Ex: 8º sexteto MS 011101 01 (row 1) 1110 (column 14) Then: 011101 3, then output is 0011
Valores de entrada: 0 (000000) a 63 (111111)
Ex: 011101
0011
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 18 Henric Johnson 18
Sub-Key Generation For each roud
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 19
Sub-key generation • A sub-key is generated in each round • PC1: two halfs (28 bits) obtained by permutation • In each round, each half is rotated for the next round
• 16 rotations (one per round): a specific rotation is defined for each round
• PC2: In each round, a permutation with reduction (56 > 48 bits)
Input Key (56 bits) 2 Initial Sub-Keys (28 bits) (Initial Permutation PC1)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 20
PC2 sub-key rescheduling 56 bits (28 left + 28 right)
48 bits
Block Ri-1
XOR
S-BOX (round i)
PC2
Key-Rotation (for the next round)
Key-Rotation
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 21
Multiple Encryption & DES • Clear a replacement for DES was needed
– theoretical attacks that can break it – demonstrated exhaustive key search attacks – Cryptanalysis: demonstrated vulnerabilities – Weak, Semi-Weak and Potentially Weak keys
• AES is a new cipher alternative – The “standard” symmetric encryption for the XXI century – Promoted by different organizations: NIST, ANSI, etc…
• Prior to this alternative was to use multiple encryption with DES implementations
• Triple-DES is the chosen form – Compatibility, during the adoption of AES
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 22
Double-DES ? No thanks…
• Could use 2 DES encrypts on each block
C = [ EK2 ( EK1(P) ]
• Issue of reduction to single stage with single key (1992)
• … and have “meet-in-the-middle” attack – works whenever use a cipher twice – since X = EK1(P) = DK2(C) – attack by encrypting P with all keys and store – then decrypt C with keys and match X value – can show takes O(256) steps
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 23
Triple-DES with Two-Keys
• hence must use 3 encryptions – would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
C = EK1(DK2(EK1(P))) – Encrypt & decrypt equivalent in security – If K1=K2 then can work with single DES (compatibility)
• standardized in ANSI X9.17 & ISO8732 • Effective key length of 112 bits • no current known practical attacks
– But the use of 3 keys is better (improvement of the key-length effect)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 24
• Although are no practical attacks on two-key TripleDES have some indications
• can use Triple-DES with Three-Keys to avoid even these C = [ EK3 [ DK2 (EK1(P) ] ]
• has been adopted by some Internet applications, eg PGP, S/MIME
• Effective key lenght: 168 bits
Paranoid ? Use N times DEA with N different keys Problem ?
Note: Triple or N-encryption-decryption can be applied to any block cipher algorithm
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 25
• TEMK – Triple Encryption with Minimum Key Constants T1, T2 and T3 and Two initial Keys: K1, K2 to derive three keys: KX1, KX2, KX3 for triple encryption KXi = D(K2, E(K1,Ti))
• Use of Triple encryption modes (ex., Inner CBC, Outer CBC) • Triple encryption with prefix-pads (pad size < block size) • Doubling Block Length Space • Ntuple Encryption: ex., n=5, 3 keys,
C=Ek1(Dk2(Ek3(Dk4(Ek5(P))))) • Witening technique: C= K3 XOR E( K2, ( P XOR K1) ) • Cascading multiple block ciphers: it is at least as hard to
break as any of its component ciphers • Combination technique
– Random bit-string R with the same size as M – C = E(K1, R) XOR E(K2, (M XOR R) )
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 26
• International Data Encryption Algorithm (IDEA) – 128-bit key – Used in PGP
• Blowfish – Easy to implement – High execution speed – Run in less than 5K of memory
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 27
• RC5 – Suitable for hardware and software – Fast, simple – Adaptable to processors of different word lengths – Variable number of rounds – Variable-length key – Low memory requirement – High security – Data-dependent rotations
• Cast-128 – Key size from 40 to 128 bits – The round function differs from round to round
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 28
• Skypjack – Example of simple symmetric crypto, interesting for
small devices and HW implementation (very usual before AES implementations in HW for embeded systems and small devices, such as micro-sensos, motes, etc…
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 29
Symmetric block cyphers and characteristics
Criptografia Simétrica > Estabelecimento de canais seguros (Confidencialidade) > Problemas da partilha (distribuição) das chaves. Criptografia Assimétrica • Confidencialidade: cifra com chave pública • Autenticidade: assinaturas (cifra com chave privada) • Envolver sínteses (one-way hashing nas assinaturas) • Não repúdio: garantida no pressuposto de não revogação da
chave num dado tempo > Operação mais lenta
Alg. Key size Rounds Structure Applications Operations (standadization)
DES
3DES
IDEA
TEA
Blowfish
RC5
Cast-128
AES 128, 192, 256 10,12,14
56
112/168
128
128
< 448
< 2048
40-128
16
48
8
32
16
< 255
16
XOR, S-boxes, P-Boxes EP Boxes, Rotations, ...
idem
XOR, addition mod 2^16 ,Multiplication mod 2^16
XOR + shift
XOR + Variable S-boxes
Addition, subtraction XOR and rotation operations
Addition, Subtraction, XOR, Rotation and S-boxes
S boxes, Matrix SR-MC, XOR
SET, Kerberos
Financial standards E-commerce, PGP S/MIME, SSL
PGP, SSL
SSL
PGP
Many: promoted as a standard after 2000
Jump AES Later
Later
Later
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 30
Symmetric block cyphers and characteristics
Alg. Key size Rounds Structure Applications Operations (standadization)
Skypjack 4 x 8 = 32
XOR, P-Boxes Matrix-based Exp....
Sensors, WSN communication
80 bits
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 31
Skypjack
• SKIPJACK is a 64-bit codebook utilizing an 80-bit cryptovariable (Key)
• SKIPJACK encrypt/decrypt 4-word (64-bit) data blocks by alternating between the two stepping rules (A and B)
• Input = Wi0, 1 ≤ i ≤ 4, (i.e., k=0 for the beginning step), Counter
initialized = 0 • Steps (32 rounds of 8 step rules): Rules A, B, C, D
– The Counter Increment by one after each step • The Output = Wi
32, 1 ≤ i ≤ 4
Wi0
Wi32
32 rounds
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 32
Decryption Rule (A-1 and B-1)
W1k-1= [Gk-1]-1 (w2
k) W2
k-1= w3k
W3k-1= w4
k
W4k-1= w1
k ⊕ w2k ⊕ counterk-1
W1k-1= [Gk-1]-1 (w2
k) W2
k-1= [Gk-1]-1 (w2k) ⊕ w3
k ⊕ counterk-1 W3
k-1= w4k
W4k-1= w1
k
Rule A-1
Rule B-1
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 34
Design Features in HW • SKIPJACK module implemented “easily” as a
peripheral HW device (as a crypto module) with 16-bit host interface
• Data interface to the module using read/write operation to the registers
• Single design for Encryption and Decryption - Based upon a flag in control register
• Device specific look-up ROMs used for look-up tables – Fast, Low-memory requirements, Weak Energy
requirements (for the case of wireless devices with autonomous batteries)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 35
F -Table and Cryptovariable F -Table • The F function is a G permutation in a look up
table – Row = The higher order 4-bit index – Column = The lower order 4-bit index
Cryptovariable • The Cryptovariable (key) is 10 bytes = 80 bits
long (labeled 0 through 9) and used in its natural order
• Cryptovariable subscript is used in G-Permutation are interpreted mod -10
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 36
Example of Top Level Design • Two major verilog module
– Regmem module for external I/O interface – Algorithm module for encrytion/decryption
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 37
Memory Map • 13 total registers
• 12 for data interface • 1 register for control
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 38
Interface Description • Device Inputs
– Input data buffer: 4 word (64-bits) – Cryptovariable (key) buffer: 5 word (80-bits) – Operating flag:
• Encrypt/Decrypt (1 for encryption, 0 for decryption)
• Start (writing a 1 starts the operation) • Device Outputs
– Output data buffer: 4 word (64-bits) – Operating flag:
• Done (a 1 indicates that the last operation is complete)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 40
Algorithm Module - Blocks • Control State Machine
– Controls the encryption/decryption process; K-Counter, Register Loading, Done indication bit
– Triggered by the Start command bit in control registers • Fiestel Module
– Implements the G and G-1 function using logic and 4 look-up tables for F function
• P_reg1 through P_reg4 – used for SKIPJACK data operation – Input buffer can be reloaded with new data while operation is
performed on the previous data - Speeds up throughput • K-Counter
– Up/Down counter with preset and reset
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 41
Algorithm Module - State Machine • 5-State machine to control both
encryption/decryption
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 42
Algorithm Module - Feistel Module
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 43
Feistel Module - Description • Single module to compute G and G-1 function • Control based upon Enc_Decn control bit • Reverses the input byte order to perform G-1
function (flipping the Fiestel structure to G function)
• 4 look-up ROMs (Altera specific) to implements F function
• 4 multiplexers 10:1 to select one of the 10 CV byte, controlled from the k-cntr look-up mechanism
• One 32 entry look-up ROM to eliminate mod 10 computation of 4k, 4k+1, 4k+2, 4k+3
• 4 multiplexers 2:1 (4-bit) to select the index for the encryption or decryption
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 45
AES (Advanced Encryption Standard) Origins and characteristics • clear a replacement for DES was needed
– have theoretical attacks that can break it – have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks • US NIST issued call for ciphers in 1997 • 15 candidates accepted (Jun/98), 5 were shortlisted in Aug/99 • Rijndael was selected as the AES in Oct-2000 • issued as FIPS PUB 197 standard in Nov-2001 • designed by Rijmen-Daemen in Belgium • an iterative rather than feistel cipher
– processes data as block of 4 columns of 4 bytes – operates on entire data block in every round
• designed to be: – resistant against known attacks – speed and code compactness on many CPUs – Simple to analyze
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 46
AES Requirements NIST Established the following reference criteria for proposals: • Secret key / symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • active life of 20-30 years (+ archival use) • provide full specification & design details • both C & Java implementations • NIST have released all submissions & unclassified analyses
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 47
AES structure Not a Feistel structure … • Data block of 4 columns of 4 bytes is state (128 bits) • Key is expanded to array of words (44 words of 32 bits)
• Has 9/11/13 rounds in which state undergoes: – I : byte substitution (1 S-box used on every byte) – II : shift rows (permute bytes between groups/columns) – III : mix columns (subs using matrix multipy of groups) – IV : add round key (XOR state with key material) – view as alternating XOR key & scramble data bytes
• Initial XOR key material & incomplete last round • With fast XOR & table lookup implementation
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 48
Advanced Encryption Algorithm (AES)
• Internal structure
• Ex., 10 rounds for 128 bit keys
• Successive processing of block-state arrays, combined with the expanded key
128 bit sub-key in each round
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 49
Input/Output State Array and Key Expansion
16 rounds of successive transformation of a 128 bit blocks (state arrays), organized as a square matrix of bytes (16x16 bits, ordered by column)
Key expanded from initial size (as a square matrix of bytes) to 44 columns (44 words, 4 bytes each)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 50
Byte Substitution • A simple substitution of each byte (defined) • Uses one table of 16x16 bytes containing a permutation of all
256 8-bit values • Each byte of state is replaced by byte indexed by row (left
4-bits) & column (right 4-bits) – eg. byte {95} is replaced by byte in row 9 column 5 – which has value {2A}
• S-box constructed using defined transformation of values (byte-to-byte substitution of the block), byte values as polynomials in GF(28)
• designed to be resistant to all
known attacks
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 51
Shift Rows • a circular byte shift in each each
– 1st row is unchanged – 2nd row does 1 byte circular shift to left – 3rd row does 2 byte circular shift to left – 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right • since state is processed by columns, this step permutes
bytes between the columns
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 52
Mix Columns • each column is processed separately / each byte is replaced
by a value dependent on all 4 bytes in the column • effectively a matrix multiplication in GF(28) using prime poly
m(x) =x8+x4+x3+x+1
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 53
Add Round Key • XOR state with 128-bits of the round key • again processed by column (though effectively a series of
byte operations) • inverse for decryption identical
– since XOR own inverse, with reversed keys • designed to be as simple as possible
– a form of Vernam cipher on expanded key – requires other stages for complexity / security
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 54
Advanced Encryption Algorithm (AES)
• XXXXX I
II
III
IV
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 55
Stream ciphers
• Block cipher (with ECB mode of operation)
• Structure for stream ciphers • Possible implementation with block ciphers. • How ?
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 56
Stream ciphers • process message bit by bit (as a stream) • have a pseudo random keystream • combined (XOR) with plaintext bit by bit • randomness of stream key completely destroys statistically
properties in message – Ci = Mi XOR StreamKeyi
• but must never reuse stream key – otherwise can recover messages (cf book cipher)
• some design considerations are: – long period with no repetitions – statistically random – depends on large enough key – large linear complexity
• properly designed, can be as secure as a block cipher with same size key
• but usually simpler & faster
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 57
RC4 • Proprietary cipher owned by RSA DSI • Another Ron Rivest design, simple but effective • Variable key size, byte-oriented stream cipher • Widely used (web SSL/TLS, wireless WEP) • Key forms random permutation of all 8-bit values • Uses that permutation to scramble input info processed a
byte at a time
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 58
RC4 Key Schedule • starts with an array S of numbers: 0..255 • use key to well and truly shuffle • S forms internal state of the cipher
// Initialization, S and T for i = 0 to 255 do
S[i] = i T[i] = K[i mod keylen])
// Initial Permutation of S j = 0 for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 59
RC4 Encryption • encryption continues shuffling array values • sum of shuffled pair selects "stream key" value from
permutation • XOR S[t] with next byte of message to en/decrypt
i = j = 0 for each message byte Mi
i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) Ci = Mi XOR S[t]
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 60
RC4 encryption model • Algorithm explained in Stallings, Network Security
Essentials (see section 2.4, Chapter 2)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 61
RC4 Security • claimed secure against known attacks
– have some analyses, none practical • result is very non-linear • since RC4 is a stream cipher, must never reuse a key • have a concern with WEP, but due to key handling and/or
pattern-repetitions rather than RC4 itself
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 62
Other stream ciphers • SEAL • A series (ex., A5, A8, GSM)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 63
Outline
• Symmetric cryptography – Symmetric encryption algorithms
• Attacks: Brute Force vs. Cryptanalysis – Cipher block modes of operation – Padding – Encryption devices: location and management – Key-distribution with symmetric cryptography
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 64
Also referred as conventional encryption, secret-key encryption or single-key encryption, or shared-secret key encryption
(intelligible)
M C={M}K M={C}’K X Y= E[ K, X ] X=D [ K,Y ]
Notation:
K K M M C
Plaintext or cleartext
ciphertext Plaintext or cleartext
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 65
Block ciphers • Modern symmetric methods (modern cryptography) • Applied cryptography (computers, devices, HW, SW, …)
– Block-based design principles – Initially inspired by classic methods (adapted for computers) ….
More complexity – Reference on “standard” structures: Ex., Feistel network structure – Statistical properties – Standardization – Attacks:
• Brute Force attacks • Differential and Linear Cryptanalysis principles
– Algebraic structures and operations • Mathematic foundations
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 66
Stream ciphers • Modern symmetric methods (modern cryptography) • Applied cryptography (computers, devices, HW, SW, …)
– Stream-oriented processing – Fast (ex., real-time bit-by-bit encryption/decryption) – Also interesting for byte-streaming
• Interactive applications (ex., SSH) • Download of byte-streams (ex., WEB, HTTP)
– Use of algebraic fast computations, boolean operations, modular arithmetic
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 67
Modern cryptography • Key points
– Secrecy is in the “key” (not the algorithm, or its implementation) – Publicly available, open specification, open validation
• More scrutiny … more security • Key-space, block-size implications • Cryptanalysis: is the “age” of an algorithm an advantage ?
• “Modern” symmetric encryption methods – Algebraic structures
• Finite fields: groups, rings and fields • Modular arithmetic • Euclidean algorithm • Finite fields of the form, GF(p) • Polynomial arithmetic • Finite fields of the form GF(2^n)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 68
Symmetric algorithms • Block-oriented symmetric ciphers
– Ex., DES, TripleDES, IDEA, Skypjack, RC5, RC6, AES, Blowfish, Toofish, CAST-128, ...
– Different modes of operation: ECB, CBC, CFB, OFB, CTR, ....
• Stream-Ciphers – Ex., RC4, SEAL, Katsumi, A-series (GSM), etc – Bit-by-bit operation – Byte-stream based transformations
• Hybrid structure is also possible: – Stream Ciphers implemented with Block-Cipher
building blocks
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 69
AES - Advanced Encryption Standard >> • Originally Rijndael from Daemen and Rijmen
– Substitution of DES (NIST Call for proposals) – http://en.wikipedia.org/wiki/Advanced_Encryption_StandardEvaluation – Criteria for AES
• Keys: 128, 192, 256 bits, Block sizes: 128 bits • High dispersion with a simple (auditable) and fast
internal structure and algebraic proofs – Block-operations in successive rounds
» Block operated as a matrix » Substitution Boxes » Shift rows » Mix columns » XOR with sub-keys (generated form an expansion of the initial key)
• Implementation issues: simple and fast implementations in SW and HW, simple auditing
• Best indicators from all the NIST defined tests (CMVP)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 70
Symmetric cryptography requirements (1) • An opponent who knows the algorithm and has access to
one or more ciphertexts (C1, C2, …Ci, … Cn)
– would be unable to obtain the respective plaintexts (P1, P2, … Pi, … Pn), if she/he don’t know the key K used to calculate Ci={Pi}K
– would be unable to figure out the key K, even if she/he is in possession of a number of pairs (Pi, Ci), with Ci = {Pi}K
Security properties of symmetric ciphers
• Security in a symmetric encryption: depends on the secrecy of the secret key (as an input parameter for the encryption/decryption algorithm) not from the secrecy of the algorithm
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 71
Symmetric cryptography requirements (2) • Security in symmetric cryptography requires:
– Sender and receiver (principals in a secure communication): must have obtained copies of the key K in a secure way (need a secure key-distribution protocol or secure key-establishment service)
– Must keep the shared keys K secure Key storage is an important concern
– Key exposition is an important concern
– Possible rekeying mechanisms (key-refreshments) for Perfect Backward Secrecy (PBS) and Perfect Future Secrecy (PFS)
• Prevention from possible compromising of keys • Key-Independence (“perfect”) • Fast or efficient rekeying may be an issue
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 72
Symmetric cryptography assessment • Performance, implementation issues, test/certification • Security concerns:
– Key size vs. Block Size: Robustness under Brute-Force Attacks – Cryptanalysis attacks
• Cryptanalysis – Differential cryptanalysis vs. Linear cryptanalysis – Dispersion and entropy: formal distance tests between identical blocks
resulting from different transformations of the same plaintext block • Kasiski test: distance decomposition in prime factors and period
evaluation with high probability as the CGD of the majority of evaluated distances
• Coincidence test: % of similar symbols in identical overlapping cryptograms in a progressive displacement
– Certification test programs and tools (ex., NIST CRYPTIK, METRIX
• http://csrc.nist.gov/groups/STM/cavp/
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 73
Symmetric cryptography assessment • Other current formal security verifications and proofs on symmetric
cryptography: – Sensibility to initial setup conditions
• Ex: Consequences in “one” bit changes
– Evaluation of uniform distribution characteristics
– Binary balance and mean entropy for a large number of generated keys (and consecutive sub-keys) and a large number of blocks (and consecutive sub-blocks)
– Auto and Cross Correlation in large number of generated keys /and consecutive sub-keys)
– Resistance to statistical attacks on pseudo-random generation mechanisms
– Performance/adaptability for specific purposes (HW, RAM, OS primitives, etc)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 74
Robustness and computational security criteria • Robustness: if it is impossible (computationally impossible)
to decrypt a message on the basis of the ciphertext plus the knowledge of the encryption/decryption algorithm
• Computational security criteria: – Infinite time to break with available computing power and
resources (processing power MIPS, memory, storage,…) • what is “infinite time” ?
– Ex., More than the universe lifetime … 10^11 years ? – Ex., More than the universe time in several orders of magnitude ? – Finite time to break … but time exceeds the useful lifetime of the
protected information
– Finite time to break but requires infinite or impossible computing power and resources
• what is “impossible computing power” ? – Ex., A quantity of computers requiring more silicon or germanium atoms
than the total quantity of atoms (estimated) available in our galaxy ? – Ex., Processing speed required will cause the fusion of the materials ? – Available computing can break before the useful lifetime of the
protected information … but the cost (money) of such computing resources exceeds the value of the protected information
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 75
Big numbers [Schneier 1996]
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 76
Without no inherent mathematical weaknesses: Brute-force attack
1 computer Computing Power aggregation
On average: half of key space searched
Practical terms: need more than key search - Plaintext knowledge - More difficult in other cases: binary, compressed, hashed data
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 77
DES, IDEA, RC5, TEA, CAST-128, AES-128, AES-192, AES-256
DES
IDEA, RC5, TEA CAST-128, AES-128
TDEA / 3DES
AES-192
AES-256
10^11 – Universe lifetime
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 78
Moore’s Law and other predictions • http://en.wikipedia.org/wiki/Moore's_law • Processing power doubles, each 18 months • In 10 years, computers will be 100 times more powerful
(general resources). – A desktop will fit into a cell phone – Gigabit wireless connectivity everywhere – Personal networks will connect our computing devices and the
remote services we subscribe to.
• Other aspects of the future are much more difficult to predict – Anyone can not predict what the emergent properties of 100x
computing power will bring: new uses for computing, new paradigms of communication. A 100x world will be different, in ways that will be surprising.
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 79
More brute-force attack estimations • Moore Law (computing power):
– double in each 18 months …. • Cost estimation to break
2010
2034
2058
2082
2106
2130
2154
2178
2202
2226
2250
2274
Key size Year (attack)
80
96
112
128
144
160
176
192
208
224
240
256 Extr
apol
atio
n us
ing
the
Moo
re la
w Symmetric Alg. (key sizes)
Public-Key (ECC)
Public Key (RSA)
Time to Break
Storage needs
56 112 420 < 5 min Trivial
80 160 760 600 months
4GB
96 192 1020 3x10^6 years
170GB
128 256 1620 10^16 years
120TB
Robert Silverman, Technical Report RSA Laboratories, 2000
Ex., Breaking with $10 Millions in 2000:
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 80
Brute-Force conclusions • Even if managed to speed up by a factor of 1 trillion (10^12)
Brute force attacks on 128 bit keys require 1 million years
• So, in practice, 128 bit keys (no weak keys, generated randomly and securely established and maintained) are unbreakable with brute-force attacks
• From this baseline the next security problem is the possible cryptanalysis attacks against specific algorithms
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 81
Cryptanalysis • Process of attempting to discover the plaintext or key, from
the known or available information • Cryptanalytic attacks: opponents using cryptanalysis
+ di
fficu
lt - d
iffic
ult
Mor
e co
mm
only
em
ploy
ed
Hig
h se
curi
ty
crite
ria
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 82
Confidentiality using symmetric encryption • Best-Practices and Bad-Practices • Concerns behind keys:
– Key maintenance, Key-exposition – Key-distribution, Key-establishment – Placement of the encryption/decryption function – Key-generation process and (random)-number generation – Key-generation process and “weak-keys” discarding – Perfect forward vs. backward secrecy – Rekeying needs – Recuperation of keys
• How to use Cipher Block Modes of operation in a secure way (or how to choose the correct mode)
• Padding and its relevance • Combination of methods: secure combination ? • Dynamic configuration of cipher-suites and security association
parameters / protocol design and implementation
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 83
Key-management in symmetric cryptography • The previous problems are very relevant !
– In symmetric cryptography the key is the same for encryption/decryption
• Secret key-shared – For 2 principals: 1 shared key
N principals: n(n-1)/2 keys O(n2)
Problem for secure-key-distribution, establishment and management
Non KDC based (pre-established keys) KDC based (client/server model) Redundant KDCs (client/server group), ex., 1, 2, …
3 principals: 3 keys 4 principals: 6 keys … 6 principals: 15 keys
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 84
Assessment approaches • Assessment classic techniques
– Kasisky tests • Frequency analysis • Superposition and coincidence counting
– Friedman tests (variance analysis) • See statistical analysis
– http://en.wikipedia.org/wiki/Comparison_of_statistical_packages
– Other tests: • Uniform distribution • Binary balance (“0” and “1” distribution) • Entropy metrics (ex., medium value in two
consecutive keys • Auto-Correlation or cross-correlation
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 85
Assessment approaches – Conjugated statically tests in a battery (tools)
• Ex., Randomness tests: http://stat.fsu.edu/pub/diehard
• Assessment or certification programs and tools • Ex., NIST: Ex: http://csrc.nist.gov/groups/ST/toolkit/index.html
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 86
Outline
• Symmetric cryptography – Symmetric encryption algorithms – Cipher block modes of operation – Padding – Encryption devices: location and management – Key-distribution with symmetric cryptography
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 87
Modes of Operation
• Block ciphers encrypt fixed size blocks – eg. DES encrypts 64-bit blocks with 56-bit key
• need some way to encrypt/decrypt arbitrary amounts of data in practice
• ANSI X3.106-1983 Modes of Use (now FIPS 81) defines 4 possible modes: ECB, CBC, CFB, OFB
• subsequently 5 defined for AES & DES: CTR • have block and stream modes
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 88
• Plaintext blocks encrypted in an independent weay
• Fast, parallelizable
• Message repetitions may show in ciphertext
– if aligned with message block – particularly with data such graphics – or with messages that change very little, which become a code
-book analysis problem
• Weakness is due to the encrypted message blocks being independent: same plaintext blocks produces the same cyphertext blocks (using the same key)
• Main use is sending a few blocks of data
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 89
ECB: manipulation of encrypted blocks Ex., electronic banking transaction, ref. with DES 1 block = 64 bits
Tim
esta
mp
Swift Code ID Bank Orig.
Swift Code ID Bank Dest
Name of entity: Ex., 6 blocks
IBAN Dest. Account Ex., 4 blocks
Ammount EUROS O
Pcod
e
Bank A
Bank B Mallory
Eavesdropping + Message Replying + Message Tampering (on specific blocks)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 90
ECB (graphics, patterns)
What we want … Plaintext and Ciphertex with ECB
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 91
• Cipher Block Chaining Mode (CBC) – The input to the encryption algorithm is the XOR of the
current plaintext block and the preceding ciphertext block. – Repeating pattern of 64-bits are not exposed
• Use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV
• Uses: bulk data encryption, authentication
• Same plaintext blocks => Different cyphertext blocks, even when the same key is used (different IVs)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 93
• + Security: plaintext patterns concealed by XORing with previous ciphertext blocks – Input to blocks randomized by the previous cipher text block
• + Any change to a block affects all following ciphertext blocks
• +/- Plaintext somewhat difficult to manipulate Only 1st block and last block can be removed) Bits changed in the first block: repetition allows controlled changes
• + More than one message can be encrypted with the same key
• + A ciphertext block depends on all blocks before it
• + Speed in ~the same as block cipher • - But ciphertext is up to one block longer than the plaintext • - No pre-processing is possible • -/+ Encryption is not parallelizable, but decryption is
parallelizable and has a random-access property
Secu
rity
Perf
orman
ce
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 94
• - Need Initialization Vector (IV) – which must be known to sender & receiver
• Requires synchronization – if sent in clear, attacker can change bits of first block, and
change IV to compensate – hence IV must either be a fixed value (as in EFTPOS) – or must be sent encrypted in ECB mode before rest of
message • A cipher text error affects one full plaintext block
and the correspondent bit in the next block • Synchronization errors unrecoverable
Fault-
Tolera
nce
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 95
• Cipher Feedback Mode (CFB) – Conversion of a block ciphers as stream cipher
(byte-oriented block cipher)
• Message is treated as a stream of bits • Added to the output of the block cipher • Result is feed back for next stage (hence name) • Standard allows any number of bit (1,8, 64 or 128 etc) to be
feed back – denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• Most efficient to use all bits in block (64 or 128) Ci = Pi XOR DESK1(Ci-1) C-1 = IV
• Uses: stream data encryption, authentication
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 97
• + Appropriate when data arrives in bits/bytes, most common stream mode (without counting)
• + Plaintext concealed, input to block cipher is randomized • + More than one message can be encrypted with the same
key (changing the IV) • +/- Plaintext somewhat difficult to manipulate
Only 1st block and last block can be removed) Bits changed in the first block: repetition allows controlled changes
• + Speed is ~the same as the block cipher • + Cipher text with the same size than plaintext (not
counting the IV) • +/- Encryption not parallelizable, decryption parallelizable
and has a random access property • + Some pre-processing is possible (previous cipher text can
be encrypted (before a new plaintext block) – Note that the block cipher is used in encryption mode at both
Secu
rity
Pe
rfor
man
ce
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 98
• Limitation is need to stall while do block encryption after every n-bits
• Errors propogate for several blocks after the error: affecting correspondent bits of plaintext and the next full block
• Synchronization errors of full block sizes are recoverable. A 1-bit CFB can recover from the addition or loss of single bits
Fault-
tolera
nce
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 99
• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message
• can be computed in advance Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV
• uses: stream encryption on noisy channels
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 100
• + Plaintext patterns concealed • + Input to the block cipher is randomized • + More than one message can be encrypted with the same
key (provided that a different IV is used) • - Plaintext is very easy to manipulate; any change in cipher
text directly affects the plaintext - more vulnerable to message stream modification A variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV) • originally specified with m-bit feedback
(but subsequent research has shown that only full block feedback ie CFB-64 or CFB-128) should ever be used for high security)
• + Speed is ~the same as block cipher • - Cipher text is the same size as the plaintext, not counting
the IV • + Pre-Processing possible before the message is seen • -/+ not parallelizable
Secu
rity
Pe
rfor
man
ce
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 101
• + Bit errors do not propagate - Cipher text error affects only the corresponding bit of plaintext
• - But sender & receiver must remain in sync: synchronization error not recoverable
Fault-
tolera
nce
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 102
• A “new” mode, though proposed early on • Similar to OFB but encrypts counter value rather than any
feedback value • Must have a different key & counter value for every
plaintext block (never reused) Ci = Pi XOR Oi Oi = DESK1(i)
• Uses: high-speed network encryptions
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 104
• Same criteria as OFB Random access to encrypted data blocks Provable security (good as other modes) But must ensure never reuse key/counter values, otherwise could break
(cf OFB)
• Efficiency + ~The same Better than OFB
Parallelizable: can do parallel encryptions in h/w or s/w can pre-process in advance of need good for bursty high speed links
Secu
rity
Pe
rfor
man
ce
Perf
orman
ce
as OFB
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 105
• CBC (entire blocks), CFB (mainly with m-bit blocks, more secure => larger m)
• ECB, OFB and Counter: plaintext easy to manipulate
• ECB, CTR (parallelizable) • CFB (only partial parallelization in the decryption) • CBC same but no pre-processing • OFB no parallelization, no pre-processing
• CFB - synchronization errors of full block sizes are recoverable, … but cipher text error affect the correspondent bit of plaintext + the next full block), OFB, CTR (ciphertext errors only affect the correspondent bit in plaintext)
• ECB, CBC, OFB, CTR - Sync. Errors unrecoverable,
Secu
rity
Pe
rfor
man
ce
Fault-
Tolera
nce
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 106
OCB Mode (generic encryption mode)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 107
OCB Mode (Authentication computation)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 108
Other usual modes (Wireless communication settings) • Mix counter modes, efficient block-chaining, merging in
general encryption with authentication proofs, with the same goals as OCB – Examples:
• IAPM • XCBC • CCM • EAX • GCM • CWC • PCFB • CS
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 109
Comparative analysis • See, ex: Svenda, IPICS 2004, Basic comparison of Modes for
Authenticated-Encryption (IAPM, XCBC, OCB, CCM, EAX, CWC, GCM, PCFB, CS)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 110
• Interleaving technique – Ex., CBC Interleaving
• Multiplex/Demultiplex with Interleaving – Single message – Multiple messages
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 111
Outline
• Symmetric cryptography – Symmetric encryption algorithms – Cipher block modes of operation – Padding – Encryption devices: location and management – Key-distribution with symmetric cryptography
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 112
Message Padding
• At end of message must handle a possible last short block – which is not as large as blocksize of cipher – pad either with known non-data value (eg nulls) – or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] • means have 3 data bytes, then 5 bytes pad+count
– this may require an extra entire block over those in message
• Padding standardization: PKCS#5, PKCS#7, OAEP, etc – See practical classes / labs - examples
• There are other, more esoteric modes, which avoid the need for an extra block
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 113
Outline
• Symmetric cryptography – Symmetric encryption algorithms – Cipher block modes of operation – Padding – Encryption devices: location and management – Key-distribution with symmetric cryptography
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 114
Security principles • Correct use of symmetric cryptography
– Need for secure key-distribution and management
– Choose between block and stream ciphers, according with the application needs and security concerns
– Key-sharing is an issue for applications with a large number of principals
• One only key for all the principals is not a good idea • Possible approach: pair-wise shared keys • Problem: for N principals you need to establish
N x (N-1)/2 keys in the environment 1 for 2, 3 for 3, 6 for 4, 10 for 5, ….
45 for 10, … 4500 for 100, …
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 115
Security principles
– Minimize the exposition of keys • Minimal exposition in memory during runtime
processes (discard as far as you don’t need)
• Paranoid: delete/rewrite memory in explicit way with random bits…
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 117
• Link encryption: – A lot of encryption devices (smart cards, TPMs) – High level of security – Decrypt each packet at every switch
• End-to-end encryption – The source encrypt and the receiver decrypts – Payload encrypted – Header in the clear – But you can encrypt headers with tunneling techniques
(how ?)
• High Security: – Both link and end-to-end encryption are needed – Virtualization
• VMs and Isolation (Hypervisor solutions) • CPU Virtualization + I/O Virtualization • Network perimiter defenses
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 118
Managing keys securely
• Different keys (or different passwords, different key seeds, etc...) for different security domains
– Managed with a MASTER KEY protecting a “Trust Repository” (Software vs. Hardware local strong encryption)
– http://hackaday.com/2010/09/27/gpu-processing-and-password-cracking/
• Keys and Cryptographic functions “inside” trust computing modules (smartcards, HW tamper proof modules or TPMs)
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 119
Outline
• Symmetric cryptography – Symmetric encryption algorithms – Cipher block modes of operation – Padding – Encryption devices: location and management – Key-distribution with symmetric cryptography
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 120
Establishment of symmetric keys • Scale problem and key-management issues
– How many shared keys are managed by each principal ? • Possibility: 1 only key, shared with everybody (not
good idea) • One key shared by a pair of principals (pairwise
keys): – Combinations N, 2-2: N x (N-1)/2 chaves – 10 principals: 45 keys, 11 pricipals: 55 keys, ...
• How to retrieve a loss key ? • How to dismiss (revoke) compromised keys
– End-to-End vs. Link-to-link level
• PFS and PBS problem – Perfect future secrecy and Perfect Backword Secrecy – Key-independence for “Perfect” – Fast methods for ReKeying – Key-contribution and fairness requirements
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 121
You need secure key-distribution protocols to use cryptography
Possible solutions 1. A key could be selected by A and physically delivered to B,
involving a key-agreement between A and B
2. A third party could select the key and physically deliver it to A and B
3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key.
4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 122
• Session keys: – Data encrypted with a one-time session key – Or one-time pad (rekeying) for each message in a session – At the conclusion of the session, or message-by-message
the key is destroyed (ephemeral keys)
• Permanent keys: – Used between entities for the purpose of distributing
session keys • Used as long-time shared keys for the renegotiation of new session
keys (rekeying process) • Example: shared symmetric keys between the principals and KDCs • Example: public-keys registered in PKCs – for possible direct
negotiation of shared symmetric keys by the principals themselves
– Keep in mind: it is a long-time duration secret – critical to be managed and keep in security
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 124
Different key-distribution protocols • Protocols with symmetric cryptography
– For entity authentication (no key-distribution) – Server-less key establishment – Server based key establishment (or KDC based) – Multiple-server based key establishment
• Protocols with asymmetric cryptography – Entity-authentication based (no key-distribution) – Server based (or PKC based) protocols
• Key-Agreement protocols – Diffie-Hellman based – Elliptic-Curve D-H (ECDH Scheme) – Identity-Based – Conference or Group-oriented based
• Hybrid protocols
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 125
Different key-distribution protocols KDC based protocols (…):
• Needham Schroeder and variants • Otway-Rees • Neuman-Stubblebine • Miller-Neuman (kerberos) • Yahalom • Wide Mouth Frog • Janson-Tsudik • Bellare-Rogaway • Who-Lam • Gong • Boyd
• PKC based protocols (…) • Needham-Schroeder with public-key crypto and variants • … Many others • PKI based key-distribution, X509 Authentication services • TLS Scheme • Beller-Chang-Yacobi • TMN • AKA
© 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 126
• William Stallings, Network Security Essentials, Chap.2 (summarized vision)
• William Stallings, W. Cryptography and Network Security: Principles and Practice, 2nd edition. Pearson - Prentice Hall, 4th edition, 2006, chap 2, chap 3, chap.5 and chap. 6
• Schneier, B. Applied Cryptography, New York: Wiley, 1996
Complementary (for Authentication and Key-Establishment): Colin Boyd and A. Mathuria, , Protocols for Authentication and Key-Establishment, Springer, 2003
Base-protocols (ex, Needham-Schroeder), Distributed Systems bibliography See also http://en.wikipedia.org/wiki/Needham–Schroeder_protocol