CSC574: Computer & Network Security

Transcription

1 CSC574: Computer & Network Security Lecture 3 Prof. William Enck Spring 2016 (Derived from slides by Micah Sherr, Patrick McDaniel, and Peng Ning)

2 Modern Cryptography 2

3 Kerckhoffs Principles Modern cryptosystems use a key to control encryption and decryption Ciphertext should be undecipherable without the correct key Encryption key may be different from decryption key. Kerckhoffs principles [1883]: Assume Eve knows cipher algorithm Security should rely on choice of key If Eve discovers the key, a new key can be chosen 3

4 Kerckhoffs Principles Kerckhoffs Principles are contrary to the principle of security by obscurity, which relies only upon the secrecy of the algorithm/ cryptosystem If security of a keyless algorithm compromised, cryptosystem becomes permanently useless (and unfixable) Algorithms relatively easy to reverse engineer 4

5 Symmetric and Asymmetric Crypto M C M E D Alice K1 K2 Bob Symmetric crypto: (also called private key crypto) Alice and Bob share the same key (K=K1=K2) K used for both encrypting and decrypting Doesn't imply that encrypting and decrypting are the same algorithm Also called private key or secret key cryptography, since knowledge of the key reveals the plaintext Asymmetric crypto: (also called public key crypto) Alice and Bob have different keys Alice encrypts with K1 and Bob decrypts with K2 Also called public key cryptography, since Alice and Bob can publicly post their public keys 5

6 Secret Key Crypto M C M E D Alice K K Bob Without K, Eve cannot decrypt C Eve 6

7 Crypto Confidentiality: Encryption and Decryption Functions Private Key Public Key Stream Ciphers Block Ciphers? 7

8 Block ciphers vs. Stream ciphers Stream Ciphers Combine (e.g., XOR) plaintext with pseudorandom stream of bits Pseudorandom stream generated based on key XOR with same bit stream to recover plaintext E.g., RC4, FISH Block Ciphers Fixed block size Encrypt block-sized portions of plaintext Combine encrypted blocks (more on this later) E.g., DES, 3DES, AES 8

9 Stream Ciphers Useful when plaintext arrives as a stream (e.g., 's WEP) Vulnerable if used incorrectly 9

10 Stream Ciphers Key reuse: [C(K) = pseudorandom stream produced using key K] E(M1) = M1 C(K) E(M2) = M2 C(K) Suppose Eve knows ciphertexts E(M1) and E(M2) E(M1) E(M2) = M1 C(K) M2 C(K) = M1 M2 M1 and M2 can be derived from M1 M2 using frequency analysis Countermeasure is to use IV (initialization vector) IV sent in clear and is combined with K to produce pseudorandom sequence E.g., replace C(K) with C(K IV) IVs should never be reused and should be sufficiently large WEP broken partly because IVs were insufficiently large modern stream ciphers take IVs, but it's up to the programmer to generate them 10

11 Stream Ciphers Substitution Attack: M = Pay me $ E(M) = M C(K) Suppose Eve knows M and E(M) but doesn't know K She can substitute M for M' by replacing E(M) with: E'(M) = E(M) M M' = M C(K) M M' = C(K) M' Eve can then replace E(M) with E'(M), which Bob will decrypt message as M' ( Pay me $ ) Countermeasure is to include message authentication code (more on this later) that helps detect manipulation (i.e., provides integrity and authenticity) 11

12 Generic Block Encryption Converts one input plaintext block of fixed size b bits to an output ciphertext block also of b bits Benefits of large b? of short b? plaintext block 0 block 1 block 2 key Encryption ciphertext block 0 block 1 block 2 12

13 Two Principles for Cipher Design Confusion: Make the relationship between the <plaintext, key> input and the <ciphertext> output as complex (non-linear) as possible Mainly accomplished by substitution Diffusion: Spread the influence of each input bit across many output bits Mainly accomplished by permutation Idea: use multiple, alternating permutations and subsitutions S P S P S... or P S P S P... Does it have to alternate?, e.g., S S S P P P S S... 13

14 Basic Form of Modern Block Ciphers Plaintext block Key Preprocessing Sub-Key Generation Rounds of Encryption i=1,2,,n Sub-Key #1 Sub-Key #2 Sub-Key #3 Sub-Key #n Postprocessing Ciphertext block 14

15 Feistel Cipher Very influential template for designing block ciphers Major benefit: do encryption and decryption w/ same hardware One round of Feistel Encryption 1. Break input block i into left and right halves L i and R i 2. Copy R i to create output half block L i+1 3. Half block R i and key K i are scrambled by function f 4. XOR result with input half-block L i to create output half-block R i+1 L i Input block i f R i K i L i+1 R i+1 Output block i+1 15

16 One Round of Feistel Decryption Output block i+1 L i R i f K i Just reverse the arrows! L i+1 R i+1 Input block i 16

17 Complete Feistel Cipher: Encryption Plaintext (2w bits) L 0 R 0 K 1 Round 1 f K 2 Round i f L 2 R 2 Round n f K n note this final swap! L n L n+1 R n+1 R n Ciphertext 17 (2w bits)

18 Feistel Cipher: Decryption Ciphertext (2w bits) L 0 R 0 K n Round 1 f K n-1 Round i f L 2 R 2 Round n f K 1 note this final swap! L n L n+1 R n+1 R n Plaintext (2w bits) 18 CSC 474

19 Data Encryption Standard (DES) Introduced by the US NBS (now NIST) in 1972 Signaled the beginning of the modern area of cryptography Basics Feistel Cipher 8-byte (64 bit) input 8-byte (64 bit) output 8-byte key (56 bits + 8 parity bits) 16 rounds 64-bit Input Initial Permutation Round 1 Round 2 Round 16 Swap Halves 48-bit K 1 48-bit K 2 48-bit K bit Key Generate round keys Final Permutation bit Output

20 DES Round: f (Mangler) Function function f = Mangler Input block i 32-bit half block L i R i Expansion f K i S-Box (substitution) 48 bits K i L i+1 R i+1 Output block i+1 Permutation 32-bit half block 20

21 Substitution Box (S-Box) A substitution box (or S-box) is used to obscure the relationship between the plaintext and the ciphertext Shannon s property of confusion: the relationship between key and ciphertext is complex as possible In DES, S-boxes are carefully chosen to resist cryptanalysis Thus, that is where the security comes from Example: Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits, and the column using the inner four bits. For example, an input "011011" has outer bits "01" and inner bits "1101"; the corresponding output would be "1001". 21

22 Avalanche Effect in DES: Change in Plaintext Round δ Round δ 02468aceeca aceeca cf03c0fbad cf03c0fbad bad e9b723 bad a9b7a3 3 99e9b7230bae3b9e 39a9b7a3171cb8b3 4 0bae3b9e cb8b3ccaca55e b3fa41 ccaca55ed16c b3fa419616fe23 d16c3653cf402c fe cf2 cf402c682b2cefbc cf2c11bfc09 2b2cefbc99f c11bfc09887fbc6c 99f911532eed7d fbc6c600f7e8b 2eed7d94d0f f7e8bf596506e d0f da9c f596506e738538b8 455da9c47f6e3cf b8c6a62c4e 7f6e3cf34bc1a8d c6a62c4e56b0bd75 4bc1a8d91e07d b0bd7575e8fd8f 1e07d4091ce2e6dc e8fd8f ce2e6dc365e5f59 33 IP 1 da02ce3a89ecac3b 057cde97d7683f2a (from Stallings, Crypto and Net Security)

23 Avalanche Effect in DES: Change in Key Round δ Round δ 02468aceeca aceeca cf03c0fbad cf03c0f9ad628c5 2 bad e9b723 9ad628c b 3 99e9b7230bae3b9e b768067b7 4 0bae3b9e b75a8807c b3fa41 5a8807c5488dbe b3fa419616fe23 488dbe94aba7fe fe cf2 aba7fe53177d21e cf2c11bfc09 177d21e4548f1de4 0 9 c11bfc09887fbc6c 548f1de471f64dfd fbc6c600f7e8b 71f64dfd c f7e8bf596506e c399fdc0d f596506e738538b8 399fdc0d6d208dbb b8c6a62c4e 6d208dbbb9bdeeaa c6a62c4e56b0bd75 b9bdeeaad2c3a56f b0bd7575e8fd8f d2c3a56f2765c1fb e8fd8f c1fb01263dc4 32 IP 1 da02ce3a89ecac3b ee92b50606b62b0b (from Stallings, Crypto and Net Security)

24 Cryptanalysis of DES DES has an effective 56-bit key length Wiener: $1,000, hours (never built) July 17, 1998, the EFF DES Cracker, which was built for less than $250,000 < 3 days January 19, 1999, Distributed.Net (w/eff), 22 hours and 15 minutes (over many machines) We all assume that NSA and agencies like it around the world can crack (recover key) DES in milliseconds What now? Give up on DES? 24

25 Variants of DES DESX (XOR with separate keys ~= 60-bits) DESX(m) =K 2 DES K (m K 1 ) Linear cryptanalysis Triple DES (three keys ~= 112 bits) Keys k 1, k 2, k 3, but in practice k 1 = k 3 C = E(D(E(p, k 1 ),k 2,k 3 ) Compatible with normal DES if k 1 = k 2 = k 3 k 1 k 2 k 3 p E D E c 25

26 Advanced Encryption Standard (AES) International NIST bakeoff between cryptographers Rijndael (pronounced Rhine-dall ) Replaced DES as the accepted symmetric key cipher Substitution-permutation network, not a Feistel network Variable key lengths (, 192, or 256 bits) Block size: bits Fast implementation in both hardware and software Small code and memory footprint 26

27 AES Encryption Process 27 (from Stallings, Crypto and Net Security)

28 AES Data Structures (from Stallings, Crypto and Net Security) 28

29 AES Encryption and Decryption 29 (from Stallings, Crypto and Net Security)

30 30 (from Stallings, Crypto and Net Security)

31 S-box S-box and Inverse Inverse S-box S-box (from Stallings, Crypto and Net Security) 31

32 Implementation Aspects AES can be implemented very efficiently on an 8-bit processor AddRoundKey is a bytewise XOR operation ShiftRows is a simple byte-shifting operation SubBytes operates at the byte level and only requires a table of 256 bytes MixColumns requires matrix multiplication in the field GF(2 8 ), which means all operations are carried out on bytes Designers believe this very efficient implementation was a key factor in its selection as the AES cipher 32 (from Stallings, Crypto and Net Security)

33 Modes of Operation Most ciphers work on blocks of fixed (small) size How to encrypt long messages? Modes of operation ECB (Electronic Code Book) CBC (Cipher Block Chaining) OFB (Output Feedback) CFB (Cipher Feedback) CTR (Counter) 33

34 Issues for Block Chaining Modes Information leakage: Does it reveal info about the plaintext blocks? Ciphertext manipulation: Can an attacker modify ciphertext block(s) in a way that will produce a predictable/desired change in the decrypted plaintext block(s)? Note: assume the structure of the plaintext is known, e.g., first block is employee #1 salary, second block is employee #2 salary, etc. Parallel/Sequential: Can blocks of plaintext (ciphertext) be encrypted (decrypted) in parallel? Error Propagation: If there is an error in a plaintext (ciphertext) block, will there be an encryption (decryption) error in more than one ciphertext (plaintext) block? 34

35 Electronic Code Book Plaintext (ECB) M 1 M 2 M 3 M padding Key E E E E Ciphertext C 1 C 2 C 3 C 4 The easiest mode of operation; each block is independently encrypted 35

36 ECB Decryption M 1 M 2 M 3 M padding Key D D D D C 1 C 2 C 3 C 4 Each block is independently decrypted 36

37 ECB Issues Information leaks: two ciphertext blocks that are the same Manipulation: switch ciphertext with predictable results on plaintext (e.g., shuffle). Parallel: yes Propagate: no Plaintext ECB Other modes 37

38 Cipher Block Chaining (CBC) M 1 M 2 M 3 M padding Initialization Vector Key E E E E C 1 C 2 C 3 C 4 Chaining dependency: each ciphertext block depends on all preceding plaintext blocks 38

39 Initialization Vectors Initialization Vector (IV) Used along with the key; not secret For a given plaintext, changing either the key, or the IV, will produce a different ciphertext Why is that useful? IV generation and sharing Random; may transmit with the ciphertext Incremental; predictable by receivers 39

40 CBC Decryption M 1 M 2 M 3 M padding Initialization Vector Key D D D D C 1 C 2 C 3 C 4 How many ciphertext blocks does each plaintext block depend on? 40

41 CBC Properties Does information leak? Identical plaintext blocks will produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (encryption), yes (decryption) Do ciphertext errors propagate? yes (encryption), a little (decryption) 41

42 Output Feedback Mode (OFB) Initialization Vector one-time pad Key E Pseudo-Random E Number Generator E E M 1 M 2 M 3 M padding C 1 C 2 C 3 C 4 42

43 OFB Decryption IV one-time pad Key E E E E M 1 M 2 M 3 M padding C 1 C 2 C 3 C 4 No block decryption required! 43

44 OFB Properties Does information leak? identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (generating pad), yes (XORing with blocks) Do ciphertext errors propagate???? 44

45 OFB (Cont d) If you know one plaintext/ciphertext pair, can easily derive the one-time pad that was used i.e., should not reuse a one-time pad! Conclusion: IV must be different every time 45

46 Cipher Feedback Mode (CFB) IV Key E E E E M 1 M 2 M 3 M padding C 1 C 2 C 3 C 4 Ciphertext block C j depends on all preceding plaintext blocks 46

47 CFB Decryption IV Key E E E E M 1 M 2 M 3 M padding C 1 C 2 C 3 C 4 No block decryption required! 47

48 CFB Properties Does information leak? Identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (encryption), yes (decryption) Do ciphertext errors propagate???? 48

49 Counter Mode (CTR) IV IV++ IV++ Key E E E M 1 M 2 M 3 C 1 C 2 C 3 49

50 CTR Mode Properties Does information leak? Identical plaintext block produce different ciphertext blocks Can ciphertext be manipulated profitably??? Parallel processing possible Yes (both generating pad and XORing) Do ciphertext errors propagate???? Allow decryption the ciphertext at any location Ideal for random access to ciphertext 50

51 Basic truths of cryptography Cryptography is not frequently the source of security problems Algorithms are well known and widely studied Vetted through crypto community Avoid any proprietary encryption Claims of new technology or perfect security are almost assuredly snake oil 51

52 Building systems with cryptography Use quality libraries SSLeay, cryptolib, openssl Find out what cryptographers think of a package before using it Code review like crazy Educate yourself on how to use library Understand caveats by original designer and programmer 52

53 Common pitfalls Generating randomness Storage of secret keys Virtual memory (pages secrets onto disk) Protocol interactions Poor user interface Poor choice of parameters or modes 53