Lecture 02 Symmetric Cryptography
Asst.Prof. Supakorn Kungpisdan, [email protected]
NETE0519-ISEC0513 1
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Cipher DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
2
NETE0519-ISEC0513
Basic Terminology plaintext - original message ciphertext - coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - study of principles/ methods of
deciphering ciphertext without knowing key cryptology - field of both cryptography and cryptanalysis
3
NETE0519-ISEC0513
How a Cryptosystem Works
Plaintext (M) (data file or messages)
encryption algorithm (E) + secret key A (KA)
Ciphertext (C) (stored or transmitted safely)
decryption algorithm (D) + secret key B (KB)
Plaintext (M) (original data or messages)
Note: Key A may be the same as Key B, depending on the algorithm
EKa(M) = CDKb(C) = MDKb(EKa(M)) = M
4
NETE0519-ISEC0513
Brute Force Search always possible to simply try every key most basic attack, proportional to key size assume either know / recognise plaintext
Key Size (bits) Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106 decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years
26 characters (permutation)
26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years
5
NETE0519-ISEC0513
Types of Cryptography
Symmetric Cryptography Deploy the same secret key to encrypt and decrypt messages The secret key is shared between two parties Encryption algorithm is the same as decryption algorithm
Asymmetric (Public-key) Cryptography Private key, Public key The secret key is not shared and two parties can still
communicate using their public keys Encryption alg. is different from decryption alg.
6
NETE0519-ISEC0513
Symmetric Cryptography
7
NETE0519-ISEC0513
Public-Key Cryptography
8
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
9
NETE0519-ISEC0513
Model of Symmetric Cryptosystem
10
NETE0519-ISEC0513
What is Symmetric Encryption used for?
Transmitting data over an insecure channel Secure stored data (encrypt & store) Provide integrity check
11
NETE0519-ISEC0513
Properties of Symmetric Cryptography
Message Confidentiality Message Authentication Message Integrity
12
NETE0519-ISEC0513
Depending on what a cryptanalyst has to work with, attacks can be classified into Ciphertext only attack Known plaintext attack Chosen plaintext attack Chosen ciphertext attack (most severe)
Cryptanalysis
13
NETE0519-ISEC0513
Ciphertext-only Attack
Collect ciphertexts of several messages encrypted using the same encryption algorithm and try to recover plaintexts or encrypting key(s).
Given: C1 = Ek(P1), C2=Ek(P2), ..., Ci=Ek(Pi)
Deduce: Either P1, P2, …, Pi; k; or an algorithm to infer Pi+1 from Ci+1=Ek(Pi+1)
14
NETE0519-ISEC0513
Known-plaintext Attack
Able to collect ciphertext of several messages and corresponding plaintext, and try to resolve the encrypting key(s).
Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi)Deduce: Either k, or an algorithm
to infer Pi+1 from Ci+1=Ek(Pi+1)
15
NETE0519-ISEC0513
Chosen-plaintext Attack
Able to collect ciphertext of several messages and associated plaintext, and also able to choose the plaintext that gets encrypted. Try to deduce the encrypting key(s).
More powerful than known-plaintext attack
Given: P1, C1 = Ek(P1), P2, C2=Ek(P2), ..., Pi, Ci=Ek(Pi)
where the cryptanalyst gets to choose P1,…, Pi
Deduce: Either k, or an algorithm
to infer Pi+1 from Ci+1=Ek(Pi+1)
16
NETE0519-ISEC0513
Chosen-ciphertext Attack
Able to choose different ciphertext to be decrypted and has access to the decrypted plaintext. Try to deduce the key
E.g. has access to a tamperproof box that does automatically decryption.
Given: C1, P1 = Dk(C1), C2, P2=Dk(C2), ..., Ci, Pi=Dk(Ci)Deduce: k
Primarily applicable to public-key algorithms.
17
More Definitions
unconditional security no matter how much computer power or time is
available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext
computational security given limited computing resources (eg time needed for
calculations is greater than age of universe), the cipher cannot be broken
18NETE0519-ISEC0513
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
19
NETE0519-ISEC0513
Substitution Ciphers
Character in plaintext is substituted for another character in ciphertext
Caesar Cipher: each plaintext character is replaced by the character three to the right modulo 26. E.g. AD, BE, XA
ROT13: commonly found in UNIX systems. Every plaintext character is rotated 13 places.
20
NETE0519-ISEC0513
Caesar Cipher
earliest known substitution cipher by Julius Caesar first attested use in military affairs replaces each letter by 3rd letter on example:
meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB
21
NETE0519-ISEC0513
K=3
Inner: ciphertextOuter: plaintext
22
Caesar Cipher (cont.)
NETE0519-ISEC0513
Caesar Cipher (cont.)
can define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
mathematically give each letter a numbera b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
then have Caesar cipher as:c = E(p) = (p + k) mod (26)p = D(c) = (c – k) mod (26)
23
NETE0519-ISEC0513
Cryptanalysis of Caesar Cipher
only have 26 possible ciphers A maps to A,B,..Z
could simply try each in turn a brute force search given ciphertext, just try all shifts of letters do need to recognize when have plaintext eg. break ciphertext "GCUA VQ DTGCM"
24
Monoalphabetic Cipher
rather than just shifting the alphabet could shuffle (jumble) the letters arbitrarily each plaintext letter maps to a different random ciphertext
letter hence key is 26 letters long
Plain: abcdefghijklmnopqrstuvwxyzCipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA
25NETE0519-ISEC0513
Monoalphabetic Cipher Security
now have a total of 26! = 4 x 1026 keys with so many keys, might think is secure but would be !!!WRONG!!! problem is language characteristics
26NETE0519-ISEC0513
Language Redundancy and Cryptanalysis
human languages are redundant eg "th lrd s m shphrd shll nt wnt" letters are not equally commonly used in English E is by far the most common letter
followed by T,R,N,I,O,A,S other letters like Z,J,K,Q,X are fairly rare have tables of single, double & triple letter frequencies for
various languages
27NETE0519-ISEC0513
English Letter Frequencies
28NETE0519-ISEC0513
Use in Cryptanalysis key concept - monoalphabetic substitution ciphers do not
change relative letter frequencies discovered by Arabian scientists in 9th century calculate letter frequencies for ciphertext compare counts/plots against known values if caesar cipher look for common peaks/troughs
peaks at: A-E-I triple, NO pair, RST triple troughs at: JK, X-Z
for monoalphabetic must identify each letter tables of common double/triple letters help
29NETE0519-ISEC0513
Example Cryptanalysis
given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
count relative letter frequencies (see text) guess P & Z are e and t guess ZW is th and hence ZWP is the proceeding with trial and error finally get:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in moscow
30NETE0519-ISEC0513
Vigenère Cipher
simplest polyalphabetic substitution cipher effectively multiple caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse
31NETE0519-ISEC0513
Example of Vigenère Cipher
write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive
key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
32NETE0519-ISEC0513
Transposition Ciphers
now consider classical transposition or permutation ciphers
these hide the message by rearranging the letter order
without altering the actual letters used can recognise these since have the same
frequency distribution as the original text
33NETE0519-ISEC0513
Rail Fence cipher
write message letters out diagonally over a number of rows then read off cipher row by row eg. write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
giving ciphertextMEMATRHTGPRYETEFETEOAAT
34NETE0519-ISEC0513
Row Transposition Ciphers
a more complex transposition write letters of message out in rows over a
specified number of columns then reorder the columns according to some key
before reading off the rowsKey: 3 4 2 1 5 6 7Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y zCiphertext: APTMTTNAAODWTSUOCOIXKNLYPETZ
35NETE0519-ISEC0513
NETE0519-ISEC0513
Steganography
Plaintext can be hidden by two ways: Steganography: conceal the existence of the message Cryptography: render the message unintelligible to outsiders
using various kinds of transformation of the text Examples of Steganography
Character marking: overwrite text with pencil Invisible ink: use special substance Pin punctures: pin puncture on selected letters
36
NETE0519-ISEC0513
One-Time Pad
One-time pad is a large non-repeating set of truly random key letters Encryption is a additional modulo 26 of plaintext character Pad length must be equal to the message length !!! For example:
Message: ONETIMEPAD Pad Sequence: TBFRGFARFM Ciphertext: IPKLPSFHGQBecauseO+T mod 26 = I 15+20 mod 26 = 9N+B mod 26 = P 14+2 mod 26 = 16E+F mod 26 = K, etc.
DecryptionP+K mod 26 = C P = C-K mod 26I-T mod 26 = 9-20 mod 26 = -11 mod 26 = -11+26 mod 26 = 15 mod 26 = O
37
One-Time Pad (cont.)
if a truly random key as long as the message is used, the cipher will be secure
called a One-Time pad is unbreakable since ciphertext bears no statistical
relationship to the plaintext since for any plaintext & any ciphertext there exists a
key mapping one to other can only use the key once though problems in generation & safe distribution of key
38NETE0519-ISEC0513
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
39
NETE0519-ISEC0513
Cryptographic ProcessMessage
m1 m2 mn
Encryption
c1 c2 cn
Ciphertext
Message
m1 m2 mn
Decryption
c1 c2 cn
Ciphertext
40
NETE0519-ISEC0513
Block Cipher VS Stream Cipher
Block cipher: divides entire message in to blocks used to produce ciphertext.
Stream cipher: encrypts a data stream one bit or one byte at a time.
41
Stream Ciphers
process message bit by bit (as a stream) have a pseudo random keystream combined (XOR) with plaintext bit by bit randomness of stream key completely destroys statistically
properties in message Ci = Mi XOR StreamKeyi
but must never reuse stream key otherwise can recover messages (cf book cipher)
42NETE0519-ISEC0513
Stream Cipher Structure
43NETE0519-ISEC0513
Stream Cipher Properties
some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity
properly designed, can be as secure as a block cipher with same size key
but usually simpler & faster
44NETE0519-ISEC0513
RC4
a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but effective variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP) key forms random permutation of all 8-bit values uses that permutation to scramble input info processed a
byte at a time
45NETE0519-ISEC0513
RC4 Key Schedule
starts with an array S of numbers: 0..255 use key to well and truly shuffle S forms internal state of the cipher
for i = 0 to 255 doS[i] = iT[i] = K[i mod keylen])
j = 0
for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])
46NETE0519-ISEC0513
RC4 Encryption
encryption continues shuffling array values sum of shuffled pair selects "stream key" value from
permutation XOR S[t] with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
47NETE0519-ISEC0513
RC4 Overview
48NETE0519-ISEC0513
RC4 Security
claimed secure against known attacks have some analyses, none practical
result is very non-linear since RC4 is a stream cipher, must never reuse a
key have a concern with WEP, but due to key handling
rather than RC4 itself
49NETE0519-ISEC0513
Block Cipher Principles
most symmetric block ciphers are based on a Feistel Cipher Structure
needed since must be able to decrypt ciphertext to recover messages efficiently
block ciphers look like an extremely large substitution would need table of 264 entries for a 64-bit block instead create from smaller building blocks using idea of a product cipher
50NETE0519-ISEC0513
Ideal Block Cipher
51NETE0519-ISEC0513
Claude Shannon and Substitution-Permutation Ciphers
Claude Shannon introduced idea of substitution-permutation (S-P) networks in 1949 paper
form basis of modern block ciphers S-P nets are based on the two primitive cryptographic
operations seen before: substitution (S-box) permutation (P-box)
provide confusion & diffusion of message & key
NETE0519-ISEC0513 52
NETE0519-ISEC0513
Diffusion and Confusion
Confusion: hard to find any relationship between ciphertext and key.
Diffusion: spreads influence of individual plaintext or key bits over as much of the ciphertext as possible.
In particular, one bit change of plaintext or key must increase the difficulty of cryptanalysis.
53
NETE0519-ISEC0513
Block Cipher
Divide a message M into m1, …, mn Add padding to last block
Use Ek to produce (ciphertext blocks) x1, …, xn
Use Dk to recover M from m1, …, mn
Modes of Block Ciphers: Electronic Codebook Cipher Block Chaining Cipher Feedback Output Feedback Counter (CTR)
54
NETE0519-ISEC0513
Electronic Codebook
55
NETE0519-ISEC0513
Electronic Codebook (cont’d)
Ideal for short amount of data transfer e.g. encryption key ECB produces the same message pattern if using the
same input. Not secure for lengthy message, easy for cryptanalysis.
56
NETE0519-ISEC0513
Cipher Block Chaining
57
NETE0519-ISEC0513
Cipher Feedback
58
NETE0519-ISEC0513
Output Feedback
59
Counter (CTR)
a “new” mode, though proposed early on similar to OFB but encrypts counter value rather
than any feedback value must have a different key & counter value for every
plaintext block (never reused)Ci = Pi XOR Oi
Oi = DESK1(i)
uses: high-speed network encryptions
60NETE0519-ISEC0513
Counter (CTR) (cont.)
61NETE0519-ISEC0513
Advantages and Limitations of CTR
efficiency can do parallel encryptions in h/w or s/w can preprocess in advance of need good for bursty high speed links
random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values,
otherwise could break (cf OFB)
62NETE0519-ISEC0513
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
63
NETE0519-ISEC0513 64
Feistel Cipher Structure
Virtually all conventional block encryption algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973
The realization of a Fesitel Network depends on the choice of the following parameters and design features (see next slide):
NETE0519-ISEC0513 65
Feistel Cipher Structure (cont.) Block size: larger block sizes mean greater security Key Size: larger key size means greater security Number of rounds: multiple rounds offer increasing
security Subkey generation algorithm: greater complexity will
lead to greater difficulty of cryptanalysis. Fast software encryption/decryption: the speed of
execution of the algorithm becomes a concern Roung Function (F): Greater complexity is better,
resistance to cryptanalysis
NETE0519-ISEC0513
Feistel Encryption and Decryption
66
NETE0519-ISEC0513
Proof: LD1 = RE15
Encryption side:
LE16 = RE15
RE16 = LE15 F(RE15, K16)Decryption side:
LD1 = RD0 = LE16 = RE15
RD1 = LD0 F(RD0, K16)
= RE16 F(RE15, K16)
= [LE15 F(RE15, K16)] F(RE15, K16)
= LE15 [F(RE15, K16) F(RE15, K16)]
= LE15 0
= LE15
67
Data Encryption Standard (DES)
most widely used block cipher in world adopted in 1977 by NBS (now NIST)
as FIPS PUB 46 encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security
68NETE0519-ISEC0513
DES History
IBM developed Lucifer cipher by team led by Feistel in late 60’s used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher with input from NSA and others
in 1973 NBS issued request for proposals for a national cipher standard
IBM submitted their revised Lucifer which was eventually accepted as the DES
69NETE0519-ISEC0513
DES Design Controversy
although DES standard is public was considerable controversy over design
in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified
subsequent events and public analysis show in fact design was appropriate
use of DES has flourished especially in financial applications still standardised for legacy application use
70NETE0519-ISEC0513
NETE0519-ISEC0513
Data Encryption Standard (DES)
A block of 64-bit data is encrypted using 56-bit key to produce a 64-bit block of ciphertext.
Decryption can be done by encrypting the ciphertext using the same key.
71
NETE0519-ISEC0513
DES Encryption
72
NETE0519-ISEC0513
Single Round of DES Encryption
73
NETE0519-ISEC0513
Permutation Table for DES
74
NETE0519-ISEC0513
Permutation Tables for DES
75
NETE0519-ISEC0513
DES Key Schedule Calculation
Permuted Choice 1 and 2
76
NETE0519-ISEC0513
Calculation of F(R, K)
1. R is expanded to 48 bits.2. The expanded R is XORed with 48-bit K.3. Split 48-bit data into 8 groups of 6-bit data to enter S-Boxes4. For each of the group, do the following:
1. For the 6-bit data to enter each Si, 1st and 6th bits form a 2-bit binary number to identity the row number in Si.
2. The decimal value of 2nd – 5th bits identify the column number in Si.
3. The selected decimal value from Si is then converted into 4-bit binary output of Si.
77
NETE0519-ISEC0513
DES S-Boxes
Permutation Function
78
NETE0519-ISEC0513
DES S-Boxes (cont.)
79
NETE0519-ISEC0513
DES S-Boxes (cont.)
80
NETE0519-ISEC0513
Example
Input to S5: 100111 1st and 6th bits are 11 -> row 3 2nd-5th bits are 0011 -> column 3 The decimal value in row 3 and column 3 of S5 is 7. The output value of S5 is 0111
2 12 4 1 7 …14 11 2 12 4 … 4 2 1 11 10 …11 8 12 7 1 …
S5
81
NETE0519-ISEC0513
Avalanche Effect
key desirable property of encryption alg where a change of one input or key bit results in changing
approx half output bits making attempts to “home-in” by guessing keys impossible DES exhibits strong avalanche
82
NETE0519-ISEC0513
Avalanche Effect in DES
83
NETE0519-ISEC0513
Strength of DES – Key Size
56-bit keys have 256 = 7.2 x 1016 values brute force search looks hard recent advances have shown is possible
in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! Recently, ....
still must be able to recognize plaintext must now consider alternatives to DES
84
NETE0519-ISEC0513
More about DES If only the attack on DES
is brute force, then use longer key size.
85
NETE0519-ISEC0513
Multiple Encryption & DES
clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search attacks
AES is a new cipher alternative prior to this alternative was to use multiple encryption with
DES implementations Triple-DES (3DES) is the chosen form
86
NETE0519-ISEC0513
3DES with Two-Keys
hence must use 3 encryptions would seem to need 3 distinct keys
but can use 2 keys with E-D-E sequence C = EK1(DK2(EK1(P))) nb encrypt & decrypt equivalent in security if K1=K2 then can work with single DES
standardized in ANSI X9.17 & ISO8732 no current known practical attacks
87
NETE0519-ISEC0513
3DES with Two-Keys (cont.)
88
NETE0519-ISEC0513
Triple-DES with Three-Keys
although are no practical attacks on two-key Triple-DES have some indications
can use Triple-DES with Three-Keys to avoid even these C = EK3(DK2(EK1(P)))
has been adopted by some Internet applications, eg PGP, S/MIME
89
NETE0519-ISEC0513
3DES with Three-Keys (cont.)
90
NETE0519-ISEC0513 91
Other Symmetric Block Ciphers
International Data Encryption Algorithm (IDEA) 128-bit key Used in PGP
Blowfish Easy to implement High execution speed Run in less than 5K of memory
NETE0519-ISEC0513 92
Other Symmetric Block Ciphers
RC5 Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations
Cast-128 Key size from 40 to 128 bits The round function differs from round to round
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
93
NETE0519-ISEC0513
Origins
clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks
can use Triple-DES – but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001
94
NETE0519-ISEC0513
AES Requirements
private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years (+ archival use) provide full specification & design details both C & Java implementations NIST have released all submissions & unclassified
analyses
95
NETE0519-ISEC0513
AES
128-bit plaintext block Key length -> 128, 192, 256 bits 10 rounds for each encryption and decryption 128-bit plaintext is divided into 16 8-bit (1-byte) blocks. 128-bit key is generated to 44 32-bit “words”, and 4
different words will be used in each round 11 sets of 4-word keys are used in 10-round encryption ! Decryption algorithm is not identical to encryption algorithm
96
NETE0519-ISEC0513
AES Parameters
97
AES Key Expansion
98NETE0519-ISEC0513
NETE0519-ISEC0513
AES Encryption and Decryption
XOR
XOR
99
NETE0519-ISEC0513
AES Encryption
4 stages in each round: Substitution bytes -> use S-box for byte-to-byte
substitution Shift rows -> simple row-by-row permutation Mix columns -> a substitution that alters each byte in a
column as a function of all of the bytes in the column Add round keys -> bitwise XOR of the current block with
the key
100
AES Encryption Round
NETE0519-ISEC0513
16 bytes
101
SubBytes
NETE0519-ISEC0513 102
SubBytes (cont.)
NETE0519-ISEC0513
S-box103
SubBytes (cont.)
NETE0519-ISEC0513
Inverse S-box104
SubBytes (cont.)
NETE0519-ISEC0513 105
ShiftRows
NETE0519-ISEC0513 106
MixColumns
NETE0519-ISEC0513 107
MixColumns (cont.)
NETE0519-ISEC0513 108
AddRoundKey
NETE0519-ISEC0513 109
AddRoundKey (cont.)
NETE0519-ISEC0513 110
AES Operations
NETE0519-ISEC0513 111
Implementation Aspects
can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256
entries shift rows is simple byte shift add round key works on byte XOR’s mix columns requires matrix multiply in GF(28) which
works on byte values, can be simplified to use table lookups & byte XOR’s
112NETE0519-ISEC0513
Implementation Aspects (cont.)
can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using
4 table lookups + 4 XORs at a cost of 4Kb to store tables
designers believe this very efficient implementation was a key factor in its selection as the AES cipher
113NETE0519-ISEC0513
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers Vs Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
114
NETE0519-ISEC0513
Design of Symmetric Cryptosystems
A Cryptographic algorithm should be efficient for good use It should be fast and key length should be of the right
length – e.g.; not too short Cryptographic algorithms are not impossible to
break without a key If we try all the combinations, we can get the original
message
2-115115
NETE0519-ISEC0513
Design of Symmetric Cryptosystems (cont.)
The security of a cryptographic algorithm depends on how much work it takes for someone to break it E.g. If it takes 10 mil. years to break a cryptographic
algorithm X using all the computers of a state, X can be thought of as a secure one – reason: cluster computers and quantum computers are powerful enough to crack many current cryptographic algorithms.
116
NETE0519-ISEC0513
Design of Symmetric Cryptosystems (cont.)
Encryption Algorithm Design Should the block size of messages be small or
large? Should the keyspace be large? Should we consider other search rather than
brute-force search?
2-117117
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Problems of Symmetric Cryptography
118
NETE0519-ISEC0513
Placement of Encryption
have two major placement alternatives link encryption
encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys
end-to-end encryption encryption occurs between original source and final
destination need devices at each end with shared keys
119
NETE0519-ISEC0513
Locations of Encryption Devices
120
NETE0519-ISEC0513
Placement of Encryption (cont.)
when using end-to-end encryption must leave headers in clear so network can correctly route information
hence although contents protected, traffic pattern flows are not
ideally want both at once end-to-end protects data contents over entire path and
provides authentication link protects traffic flows from monitoring
121
NETE0519-ISEC0513
Placement of Encryption (cont.)
can place encryption function at various layers in OSI Reference Model link encryption occurs at layers 1 or 2, 3 end-to-end can occur at layers 4, 6, 7 as move higher less information is encrypted but it is
more secure though more complex with more entities and keys
122
NETE0519-ISEC0513
Link Encryption VS End-to-end Encryption
123
NETE0519-ISEC0513
Encryption VS Protocol Level
124
NETE0519-ISEC0513
Traffic Padding
125
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
126
NETE0519-ISEC0513
Key Distribution
The security of symmetric cryptosystem is based on the security of key distribution.
Important process two hosts need a shared key before transmitting a message securely.
Secret key must be securely distributed between hosts, and need to be updated frequently.
But, HOW can we securely distribute the shared key?
127
NETE0519-ISEC0513
Key Exchange with Symmetric Cryptography
Two kinds of keys: Session key
temporary key used for encryption of data between users for one logical session then discarded
Master key used to encrypt and distribute session keys shared by user & key distribution center
Key Distribution Center (KDC) Shares permanent key with hosts Distributes session keys upon the requests of hosts
128
NETE0519-ISEC0513
Key Distribution Scenario
129
NETE0519-ISEC0513
Steps
1. Alice sends a request (IDA, IDB) for a session key and a nonce (N1) to KDC. Nonce may be a random number. What is nonce for?
2. KDC sends an encrypted message to A containing:1. Session key KS
2. Encrypted session key for Bob EKb(KS, IDA)
3. Alice forwards EKb(KS, IDA) to Bob. Bob can decrypt it. (anyone else?)
4. Bob confirms that he has received KS by sending Alice EKs[N2].5. Alice responses by sending f(N2) encrypted with KS.
130
NETE0519-ISEC0513
Hierarchical Key Control
In a very large network, a single KDC is not enough -> a hierarchy of KDCs can be established.
Local KDCs and a global KDC Local KDC is responsible for parties in the same domain, whereas
global KDC is taking care of communications of parties in different domains.
131
Key Distribution Issues
hierarchies of KDC’s required for large networks, but must trust each other
session key lifetimes should be limited for greater security
use of automatic key distribution on behalf of users, but must trust system
use of decentralized key distribution controlling key usage
132NETE0519-ISEC0513
NETE0519-ISEC0513
Session Key Lifetime
The more frequently session keys are exchanged, the more secure they are.
However, each session key distribution causes delays. In connection-oriented protocols, a new session key is
issued for each connection. However, if the connection is open for a long time, it may
be needed to retransmit a new session key. In connectionless protocols, not obvious how often the new
session key is exchanged. A better strategy is to use a given session key for a certain
fixed period only or for a certain number of transaction.
133
NETE0519-ISEC0513
A Transparent Key Control Scheme
134
NETE0519-ISEC0513
Decentralized Key Control
Centralized Key Control -> KDC is normally assumed to be trusted and secured from attacks.
However, attacks may occur. -> try decentralized approach
Decentralization is suitable for local connection. Involved parties need a master key between pairs of
parties as many as [n(n-1)]/2 keys among n users.
135
NETE0519-ISEC0513
Decentralized Key Distribution
136
NETE0519-ISEC0513
Decentralized Key Distribution (cont.)
1. Alice and Bob share a master key MKm.
2. Alice sends a request for a session key with a nonce N1 to Bob.
3. Bob sends KS encrypted with shared master key MKm. The message contains a nonce N2.
4. Alice responses with f(N2) encrypted with the session key.
137
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
138
Random Numbers
many uses of random numbers in cryptography nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad
in all cases its critical that these values be statistically random, uniform distribution, independent unpredictability of future values from previous values
139NETE0519-ISEC0513
Pseudorandom Number Generators (PRNGs)
often use deterministic algorithmic techniques to create “random numbers” although are not truly random can pass many tests of “randomness”
known as “pseudorandom numbers” created by “Pseudorandom Number Generators
(PRNGs)”
140NETE0519-ISEC0513
Using Block Ciphers as PRNGs
for cryptographic applications, can use a block cipher to generate random numbers
often for creating session keys from master key Counter Mode
Xi = EKm[i]
Output Feedback ModeXi = EKm[Xi-1]
141NETE0519-ISEC0513
ANSI X9.17 PRG
142NETE0519-ISEC0513
Seed value
Date/time
ANSI X9.17 PRG (cont.)
It uses date/time & seed inputs and 3 triple-DES encryptions to generate a new seed & random value. DTi - Date/time value at the beginning of ith generation stage Vi - Seed value at the beginning of ith generation stage Ri - Pseudorandom number produced by the ith generation stage K1, K2 - DES keys used for each stage
Then compute successive values as: Ri = EDE([K1, K2], [Vi XOR EDE([K1, K2], DTi)]) Vi+1 = EDE([K1, K2], [Ri XOR EDE([K1, K2], DTi)])
NETE0519-ISEC0513 143
Natural Random Noise
best source is natural randomness in real world find a regular but random event and monitor do generally need special h/w to do this
eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc
starting to see such h/w in new CPU's problems of bias or uneven distribution in signal
have to compensate for this when sample and use best to only use a few noisiest bits from each sample
144NETE0519-ISEC0513
Published Sources
a few published collections of random numbers Rand Co, in 1955, published 1 million numbers
generated using an electronic roulette wheel has been used in some cipher designs cf Khafre
earlier Tippett in 1927 published a collection issues are that:
these are limited too well-known for most uses
145NETE0519-ISEC0513
NETE0519-ISEC0513
Outline
Overview of Cryptography Symmetric Cryptography Classical Cryptographic Techniques Block Ciphers VS Stream Ciphers DES and 3DES Advanced Encryption Standard (AES) Design of Symmetric Cryptosystems Locations of Encryption Devices Key Distribution Random Numbers Problems of Symmetric Cryptography
146
NETE0519-ISEC0513
Problems of Symmetric Cryptography
Keys must be distributed in secret. Keys are valuable as all the messages they encrypt.
If a key is compromised, then so the security of the entire system. Not scalable -> assume that each pair of total n users shares
different secrets. Number of keys needed is n(n-1)/2 keys Algorithms are easy to break compared to public-key cryptographic
algorithms However symmetric one can be performed faster -> less time -> less
power consumption -> suitable for being implemented in mobile devices
Lack of necessary security services e.g. non repudiation, provide low-level of integrity check
147
Questions?
Next weekPublic-key Cryptography
NETE0519-ISEC0513 148
Discussion
Discuss two differences between Block Cipher and Stream Cipher
Explain how symmetric cryptography can provide authentication
Suggest a key distribution technique that provides offline key generation and distribution
NETE0519-ISEC0513 149