Network Security. Chapter 4 Symmetric Encryption. Cornelius Diekmann With contributions by Benjamin Hof. Technische Universität München

Transcription

1 Networ Security Chapter 4 Symmetric Encryption Cornelius Diemann With contributions by Benjamin Hof Lehrstuhl für Netzarchiteturen und Netzdienste Institut für Informati Version: October 29, 2015 IN2101, WS 15/16, Networ Security 1

2 Symmetric Encryption IN2101, WS 15/16, Networ Security 2

3 Symmetric Encryption Alice and Bob share a secret ey Implicit assumption: Only Alice and Bob now The ey is symmetric Alice and Bob share the same The ey is used to encrypt and decrypt Terminology Plaintext m The message itself Ciphertext c The encrypted plaintext Encryption: c = Enc (m) Decryption: m = Dec (c) Basic correctness requirement: Dec (Enc (m)) = m IN2101, WS 15/16, Networ Security 3

4 Example Alice nows m c m Bob Enc Dec nows m = This is networ security = 95 eb 50 0c f 88 8a f7 0b dd fb d7 64 c = ad 5c 66 d3 55 be c d2 75 3d 93 da fe d ac c1 2c e b4 82 2c b2 Enc = AES-128-ECB What security goals can we fulfill? Confidentiality? Yes. Integrity? No! An attacer could alter c. Authenticity? No. Who are Alice and Bob anyway? Maybe Rogue-Alice is claiming to be Alice? IN2101, WS 15/16, Networ Security 4

5 Example for Enc and Dec: One-Time-Pad IN2101, WS 15/16, Networ Security 5

6 One-Time-Pad: A Perfect Cipher Assumption: Alice and Bob share a perfectly random bitstream otp. = otp Enc otp (m) = m otp Dec otp (c) = c otp Chec: Dec otp (Enc otp (m)) = Dec otp (m otp) = (m otp) otp = m Requirements: Key must have same size as message. Key must only be used once. Note: denotes XOR IN2101, WS 15/16, Networ Security 6

7 Security of Ciphers IN2101, WS 15/16, Networ Security 7

8 Kerchoff s principle The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. In other words: The cipher (encryption algorithm) is public. Only the ey is secret. IN2101, WS 15/16, Networ Security 8

9 Examples of secure real-world ciphers AES 3DES ChaCha20 One-Time-Pad Why can we trust them? They have been publicly reviewed, analyzed by cryptographers, and standardized. Well-tested implementations are available in your library Using them securely: 1 RTFM 2 eep the ey secret (Kerchoff s principle) IN2101, WS 15/16, Networ Security 9

10 Repetition: Dos and Don ts Do Do use standardized ciphers from your library Be aware of the dangers Unliely: A well-established cipher is broen or bacdoored Liely: Wrong usage of the cipher compromises security (RTFM)! Don t Don t implement your own cipher. It will be broen, I guarantee! Don t claim it s encrypted, it is secure. Forgetting integrity and authenticity may be worse than any information leaage! Don t forget about ey management. IN2101, WS 15/16, Networ Security 10

11 Attacing Symmetric Ciphers IN2101, WS 15/16, Networ Security 11

12 Attacing Symmetric Ciphers Goal: given c, learn something about m Note: if something about can be learned, the attac is successful. Why? Attac Scenarios: Ciphertext-only-attac Attcer nows c Known-plaintext attac For a fixed, the attacer got a pair (m, c) and tries to learn something about other ciphertexts Chosen-plaintext and chosen-ciphertext attac. similar to previous attac, but attacer can chose m or c freely Examples in networs passively sniffing attacer: usually ciphertext-only attacing a server: chosen-plaintext replaying eavesdropped modified messages: chosen-ciphertext IN2101, WS 15/16, Networ Security 12

13 Security of Ciphers Disclaimer: hand-waving idea. This is not a cryptography course. A cipher is secure if the best nown attac is brute-forcing all eys. Brute-Force: exhaustively testing all eys Good eysize (symmetric cipher): 128 bit A 10 Ghz CPU with 1 encryption operation per cycle needs about years to brute-force the whole ey space. On average, only half of the possible eys must be tried,... only years necessary IN2101, WS 15/16, Networ Security 13

14 Example: Security of One-Time-Pad IN2101, WS 15/16, Networ Security 14

15 One-Time-Pad: A Perfect Cipher c of length(c) can be decrypted to any m of length length(c) Only nowledge of reveals the right m OTP is a perfect cipher Attac scenarios in details Ciphertext-only: No attac possible; any possible plaintext can be generated with the ciphertext. Pairs of c and m don t help: The otp can be calculated, but this otp won t be reused! Any statistical attac: due to otp, the ciphertext is perfectly random! IN2101, WS 15/16, Networ Security 15

16 One-Time-Pad: Drawbacs Necessary ey length in bits: length() = length(m) must not be reused Wish list for practical ciphers length() length(m) Key of fixed length, e.g. 128 bit Key reusable for several messages Unavoidable implication (for length(m) length()): Brute-forcing: 2 length() instead of 2 length(c) for otp. Ciphertext-only attac succeeds w.h.p. when a is found which decrypts c to an intelligible m. If m is not perfectly random, c cannot be perfectly random Cipher is still secure IN2101, WS 15/16, Networ Security 16

17 Example: An Insecure Cipher IN2101, WS 15/16, Networ Security 17

18 Example: icry insecure cryptographic cipher B 4 ey of length 4 bit Split m into blocs of 4 bit each: m = m 1 m 2 m 3... Encrypt each bloc individually with Enc (m i ) = m = Dec (c i ) Example: encrypting L m = ord( L ) = 0x4c = 0100b 1100 b = 1010b c = 0xe6 (not an ASCII char) m 1 :0100 m 2 :1100 :1010 :1010 c 1 :1110 c 2 :0110 IN2101, WS 15/16, Networ Security 18

19 Example: Attacing icry Known-plaintext attac Attacer nows: (m, c) = (0100b 1100 b, 1110 b 0110 b ) Attacer can compute = 0100 b 1110 b = 1010 b or = 1100 b 0110 b = 1010 b Attacer can now read all future messages encrypted with this IN2101, WS 15/16, Networ Security 19

20 Example: Attacing icry Ciphertext-only attac: Attacer nows: c = 1110 b 0110 b m = Dec (c) ASCII value [not an ASCII char] [not an ASCII char] [not an ASCII char] [not an ASCII char] [not an ASCII char] [not an ASCII char] [not an ASCII char] [not an ASCII char] n [non-printable ASCII char] L ] * ; [non-printable ASCII char] [non-printable ASCII char] Attacer brute-forces the small ey space Intelligible decryptions: n and L Possible eys: 1000 b or 1010 b Attacer needs more ciphertext to improve the guess of the correct ey (because is reused) IN2101, WS 15/16, Networ Security 20

21 Bloc and Stream Ciphers IN2101, WS 15/16, Networ Security 21

22 Bloc and Stream Cipher Assumes: shared symmetric of fixed length Bloc cipher Encrypts and decrypts inputs of length n to outputs of length n Bloc length n Examples: AES, 3DES Stream cipher Generates a random bitstream, called eystream c = eystream m Examples: ChaCha20, RC4 (broen!) IN2101, WS 15/16, Networ Security 22

23 Example: Bloc Cipher AES-128 AES-128 blocs size: 128 bit (16 bytes) ey size: 128 bit m = This is networ. len(m) = 16 bytes = 128 truly random bits Enc (m) = 2d 3c ab 1b a ec e8 1d 56 0d 09 2b f6 77 IN2101, WS 15/16, Networ Security 23

24 Example: Some Stream Cipher m = HELLO = c 4c 4f = streamcipher.get eystream bytes(5) = 12 a7 f Enc (m) = m = 5a e2 b5 4b 1a IN2101, WS 15/16, Networ Security 24

25 Interlude: Which Crypto Cipher should I use? Probably AES Reasons to use AES Fast: 200 MBit/s in software and > 2 GB/s with Intel AES-NI Hardware implementations for embedded devices available A well-tested implementation is available in your library Secure (attacs exist, but AES is practically secure) AES seems to be the best we have, and it is among the most researched algorithms IN2101, WS 15/16, Networ Security 25

26 Modes of Encryption IN2101, WS 15/16, Networ Security 26

27 Modes of Encryption: Motivation Bloc ciphers handle messages of length x Problem: length(m) x Solution: Modes of Encryption We split m into blocs m i where length(m i ) = x m = m 1 m 2... m n if length(m) is not a multiple of x, the last bloc is filled up Technical Term: padding IN2101, WS 15/16, Networ Security 27

28 Electronic Code Boo Mode ECB c i = Enc (m i ) m 1 m 2... m n Enc Enc... Enc c 1 c 2... c n IN2101, WS 15/16, Networ Security 28

29 ECB Example m = This is networ.this is networ.security Enc = AES-128, mode = ECB c = 2d 3c ab 1b a ec e8 1d 56 0d 09 2b f6 77 2d 3c ab 1b a ec e8 1d 56 0d 09 2b f ea 2c e7 40 db 06 a c 37 0b Why are line 1 and line 2 identical? m 1 = This is networ. m 2 = This is networ. m 3 = Security + padding IN2101, WS 15/16, Networ Security 29

30 ECB Drawbac Identical plaintext blocs are encrypted to identical ciphertext! IN2101, WS 15/16, Networ Security 30

31 Cipher Bloc Chaining Mode CBC m 1 m 2... m n IV c n 1 Enc Enc... Enc c 1 c 2... c n IN2101, WS 15/16, Networ Security 31

32 CBC Discussion CBC Encrypt: c i = Enc (c i 1 m i ) Why the with the previous bloc? Identical plaintext blocs are encrypted to non-identical ciphertext c 0 = IV What is the use of the IV (initialization vector)? Completely identical messages are encrypted to non-identical ciphertexts IV may be public IV must be fresh IN2101, WS 15/16, Networ Security 32

33 CBC Example Sending m encrypted over UDP, using CBC. m is split into blocs for the bloc cipher. m = m 1 m 2 m 3 m 4 m 5 m 6 m is split over two UDP pacets. A new and random IV is put in clear at the beginning of the payload of every pacet. IP header UDP header IV 1 c 1 c 2 c 3 IP header UDP header IV 2 c 4 c 5 c 6 IN2101, WS 15/16, Networ Security 33

34 CBC Decrypt CBC Encrypt: c i = Enc (c i 1 m i ) c 0 = IV Let s do the math: c i = Enc (c i 1 m i ) Dec (c i ) = Dec (Enc (c i 1 m i )) Dec (c i ) = c i 1 m i Dec (c i ) c i 1 = m i CBC-Decrypt: m i = c i 1 Dec (c i ) IN2101, WS 15/16, Networ Security 34

35 CBC Decrypt c 1 c 2... c n Dec Dec... Dec IV c n 1 m 1 m 2... m n IN2101, WS 15/16, Networ Security 35

36 Output Feedbac Mode OFB IV n 1 Enc Enc... Enc 1 2 n m 1 c 1 m 2 c 2... m n c n Transforms a bloc cipher into a stream cipher. IV may be public but must be fresh. IN2101, WS 15/16, Networ Security 36

37 OFB Decrypt IV n 1 Enc Enc... Enc 1 2 n c 1 m 1 c 2 m 2... c n m n IN2101, WS 15/16, Networ Security 37

38 Counter Mode CTR ctr i = IV i ctr 1 ctr 2 ctr n Enc Enc... Enc m 1 c 1 m 2 c 2... m n c n Transforms a bloc cipher into a stream cipher. IV may be public but must be fresh. IN2101, WS 15/16, Networ Security 38

39 CTR Decrypt ctr 1 ctr 2 ctr n Enc Enc... Enc c 1 m 1 c 2 m 2... c n m n IN2101, WS 15/16, Networ Security 39

40 Literature Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography, 2nd edition, CRC Press, 2015 = recommended Filippo Valsorda, The ECB Penguin, PyTux Blog, 2013, Günter Schäfer, Security in Fixed and Wireless Networs: An Introduction to Securing Data Communications, Wiley, 2004 Günter Schäfer, Netzsicherheit, dpunt, 2003 IN2101, WS 15/16, Networ Security 40