Network Security 網路安全. Lecture 3 March 16, 2015 洪國寶

Transcription

1 Network Security 網路安全 Lecture 3 March 16, 2015 洪國寶 1

2 Outline Review: Symmetric encryption -- Classical techniques (Cont.) Symmetric encryption -- Modern techniques secure encryption schemes modern symmetric block encryption techniques 2

3 Review Introduction and terminologies Definition of cryptosystem and cryptanalysis Types of encryption operations the number of keys used the way the plaintext processed Symmetric encryption -- Classical techniques substitution: monoalphabetic: Caesar, Playfair, Hill polyalphabetic: Vigenere tableau transposition 3

4 Review: Steganography vs Cryptography Types of transformation (in model for network communication security model) Steganography: conceal the existence of the secret message Cryptography: render the secret message unintelligible to outsiders 4

5 Review: Definition of cryptosystems A cryptosystem is a five-tuple (P,C,K,E,D), where the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. K, the key space, is a finite set of possible keys 4. For each k K, there is an encryption rule e K E and a corresponding decryption rule d K D. Each e K :P C and d K : C P are functions such that d K (e K (x)) = x for every plaintext x P. Example: Caesar cipher 5

6 Example: Caesar (shift) cipher P = {0(A), 1(B),, 25(Z)} C = {0(A), 1(B),, 25(Z)} K = { 0, 1, 2,, 25} e k (x) x + k mod 26 d k (y) y k mod 26 6

7 Review: Attacking a cryptosystem Cryptanalysis approach: this type of attack exploits the characteristics of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs. Brute force approach: an attacker tries every possible key on a piece of ciphertext until intelligible translation into plaintext is obtained. 7

8 Review: Kerkhoff s principle It is hard (and often impossible), to keep a cryptosystem in use secret! Designing a good cryptosystem is hard! If you don t publish, nobody will analyze your scheme... except for the bad guys! Distinguish system itself (= algorithm), from key: Key: secret, easy to change, chosen at random from large set of possible keys. Assume: Bad guys know system but don t know key! 8

9 9

10 Review: More Definitions unconditional security no matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext computational security given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken 10

11 Review: Cryptographic systems can characterize by: type of encryption operations used substitution / transposition / product number of keys used single-key or private / two-key or public way in which plaintext is processed block / stream 11

12 Review: Classical Substitution Ciphers where letters of plaintext are replaced by other letters or by numbers or symbols monoalphabetic: Single letter: Caesar Multiple letter: Playfair, Hill polyalphabetic: Vigenere tableau 12

13 Review: Monoalphabetic Cipher shuffle the letters arbitrarily each plaintext letter maps to a different random ciphertext letter hence key is 26 letters long, K =26! Plain: abcdefghijklmnopqrstuvwxyz Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA 13

14 Review: Monoalphabetic Cipher Language Redundancy and Cryptanalysis human languages are redundant eg "th lrd s m shphrd shll nt wnt" letters are not equally commonly used in English e is by far the most common letter then T,R,N,I,O,A,S other letters Z,J,K,Q,X are fairly rare have tables of single, double & triple letter frequencies Single letter monoalphabetic substitution ciphers are insecure. 14

15 Review: Playfair Cipher: Key Matrix a 5X5 matrix of letters based on a keyword fill in letters of keyword (sans duplicates) fill rest of matrix with other letters eg. using the keyword MONARCHY MONAR CHYBD EFGIK LPQST UVWXZ 15

16 Review: Playfair Cipher Encrypting and Decrypting plaintext encrypted two letters at a time: 1. if a pair is a repeated letter, insert a filler like 'X', eg. "balloon" encrypts as "ba lx lo on" 2. if both letters fall in the same row, replace each with letter to right (wrapping back to start from end), eg. ar" encrypts as "RM" 3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), eg. mu" encrypts to "CM" 4. otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, eg. hs" encrypts to "BP", and ea" to "IM" or "JM" (as desired) 16

17 Review: Hill cipher Hill 1929 The encryption algorithm takes m successive plaintext letters and substitutes for them m ciphertext letters. K = {m m invertible matrices over Z26 } Hill cipher completely hides single letter frequencies (i.e. Hill cipher is strong against ciphertext only attack.) Hill cipher can be easily broken with a known plaintext attack (only need m plaintext-ciphertext pairs). 17

18 Review: comparison Caesar cipher Playfair cipher Hill cipher Single/multiple letter substitution Single Multiple Multiple Vulnerable to Ciphertext-only attack Ciphertext-only attack (need more ciphertexts) Knownplaintext attack 18

19 Outline Review: Symmetric encryption -- Classical techniques (Cont.) Symmetric encryption -- Modern techniques secure encryption schemes modern symmetric block encryption techniques 19

20 Polyalphabetic Ciphers Polyalphabetic substitution cipher Improves on the simple monoalphabetic technique by using different monoalphabetic substitutions as one proceeds through the plaintext message makes cryptanalysis harder with more alphabets to guess and flatter frequency distribution 20

21 Vigenère Cipher simplest polyalphabetic substitution cipher is the Vigenère Cipher (p. 64) effectively multiple caesar ciphers key is multiple letters long K = k 1 k 2... k d i th letter specifies i th alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse 21

22 Example write the plaintext out eg using keyword deceptive key: plaintext: wearediscoveredsaveyourself ciphertext: 22

23 Example write the plaintext out write the keyword repeated above it eg using keyword deceptive key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext: 23

24 Example write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:zicvtwqngrzgvtwavzhcqyglmgj 24

25 Aids simple aids can assist with en/decryption expand into a Vigenère Tableau (see text Table 2.3) 25

26 26

27 Security of Vigenère Ciphers have multiple ciphertext letters for each plaintext letter hence letter frequencies are obscured but not totally lost start with letter frequencies see if look monoalphabetic or not if not, then need to determine number of alphabets, since then can attach each 27

28 Kasiski Method method developed by Babbage / Kasiski repetitions in ciphertext give clues to period so find same plaintext an exact period apart which results in the same ciphertext of course, could also be random fluke eg repeated VTW in previous example suggests size of 3 or 9 then attack each monoalphabetic cipher individually using same techniques as before 28

29 Example write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:zicvtwqngrzgvtwavzhcqyglmgj 29

30 Vigenère Autokey System A keyword is concatenated with the plaintext itself to provide a running key Example: key: deceptivewearediscoveredsav plaintext: wearediscoveredsaveyourself ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA Even this scheme is vulnerable to cryptanalysis Because the key and the plaintext share the same frequency distribution of letters, a statistical technique can be applied 30

31 Vernam Cipher 31

32 One-Time Pad (1/3) If a truly random key as long as the message is used, the cipher will be secure. It is called a One-Time pad (OTP) P=C=K=(Z2) n, n 1 k = (k 1, k 2,, k n ) x = (x 1, x 2,, x n ) y = (y 1, y 2,, y n ) e k (x) = (x 1 k 1, x 2 k 2,, x n k n ) d k (y) = (y 1 k 1, y 2 k 2,, y n k n ) 32

33 One-Time Pad (2/3) One-Time pad is unbreakable since if k is random then y is random too (that is, ciphertext bears no statistical relationship to the plaintext) and for any plaintext & any ciphertext there exists a key mapping one to other. In practice, two fundamental difficulties Supplying truly random keys of large volumn is a significant task Key distribution and protection are problematic 33

34 One-Time Pad (3/3) One-Time pad is of limited utility, and is useful primarily for low bandwidth channels requiring very high security. 34

35 Symmetric encryption -- Classical techniques (Cont.) Introduction and terminologies Definition of cryptosystem and cryptanalysis Types of encryption operations the number of keys used the way the plaintext processed Symmetric encryption -- Classical techniques substitution: monoalphabetic: Caesar, Playfair, Hill polyalphabetic: Vigenere tableau transposition 35

36 Transposition Ciphers now consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters used 36

37 Rail Fence cipher write message letters out diagonally over a number of rows eg. write message out as: m e m a t r h t g p r y e t e f e t e o a a t 37

38 Rail Fence cipher write message letters out diagonally over a number of rows then read off cipher row by row eg. write message out as: m e m a t r h t g p r y e t e f e t e o a a t giving ciphertext MEMATRHTGPRYETEFETEOAAT 38

39 Row Transposition Ciphers a more complex scheme write letters of message out in rows over a specified number of columns then reorder the columns according to some key before reading off the rows Key: Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y z Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ 39

40 Product Ciphers ciphers using substitutions or transpositions are not secure because of language characteristics hence consider using several ciphers in succession to make harder, but: two substitutions make a more complex substitution two transpositions make more complex transposition but a substitution followed by a transposition makes a new much harder cipher this is bridge from classical to modern ciphers 40

41 Outline Review: Symmetric encryption -- Classical techniques (Cont.) Symmetric encryption -- Modern techniques secure encryption schemes modern symmetric block encryption techniques 41

42 Symmetric cryptosystems : modern techniques secure encryption schemes unconditionally secure/ computationally secure shannon and modern cryptography perfect secrecy and one time pad confusion and diffusion modern symmetric block encryption techniques introduction Feisted Network DES and its variants Blowfish RC5 42

43 Unconditionally secure/ Computationally secure A scheme is secure in information theoretical sense (unconditional): no matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext computational sense: an attacker is computationally infeasible rather than information-theoretically impossible to recover a plaintext from its ciphertext. That is, given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken. 43

44 Shannon and Modern Cryptography Claude Shannon, the creator of modern information theory Born in 1916, died in 2001 Collected papers in Two important papers about information theory Published in 1948 and 1949 Addressed two related problems: noisy channel problem and the secrecy problem these Form the basis of modern digital communication system 44

45 Shannon and One-time-pad One time pad provides perfect secrecy. Perfect secrecy: Ciphertext is indistinguishable from a random string There is no clues in the ciphertext that will make it any easier to get the key or the plaintext To define perfect secrecy mathematically involves probability theory. 45

46 Shannon and Perfect secrecy A cryptosystem provides perfect secrecy if and only if x P, y C, P p (x y) = P p (x) Equivalently P c (y x) = P c (y) Use blackboard 46

47 Shannon and Perfect secrecy A cryptosystem provides perfect secrecy if and only if x P, y C, P p (x y) = P p (x) Equivalently P c (y x) = P c (y) Theorem Suppose (P,C,K,E,D) is a cryptosystem where P = C = K. Then the cryptosystem provides perfect secrecy if and only if every key is used with equal probability, and x P, y C, a unique key k such that e k (x) = y Use blackboard 47

48 Shannon and Perfect secrecy Corollary One time pad provides perfect secrecy against passive attacks. 48

49 Shannon and Substitution- Permutation Ciphers in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks modern substitution-transposition product cipher these form the basis of modern block ciphers S-P networks are based on the two primitive cryptographic operations we have seen before: substitution (S-box) permutation (P-box) provide confusion and diffusion of message 49

50 Diffusion and Confusion Terms introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system Shannon s concern was to thwart cryptanalysis based on statistical analysis 50

51 Symmetric cryptosystems : modern techniques secure encryption schemes unconditionally secure/ computationally secure shannon and modern cryptography perfect secrecy and one time pad confusion and diffusion modern symmetric block encryption techniques introduction Feisted Network DES and its variants Blowfish RC5 51

52 Modern Block Ciphers: introduction Modern block ciphers P = C = {binary strings of fixed length} Can be regarded as substitution ciphers Substitution tables? Classical substitution is vulnerable to statistical analysis (of the plaintext) and brute force attacks Reason: P and K are too small 52

53 Modern Block Ciphers: introduction To make statistical analysis (of the plaintext) and brute force attacks infeasible P and K must be large For n-bit block, we need to choose Large n and Arbitrary reversible substitution between P and C Reason: need a large amount of plaintexts and ciphertexts and space for statistical analysis 53

54 Modern Block Ciphers: introduction Problem: To determine the specific mapping from all possible mappings requires K = 2 n! Equivalently, the size of a key is n 2 n For n = 64, the size of a key is = bits 54

55 Modern Block Ciphers: introduction Solution: confine ourselves to a subset of the 2 n! possible mappings. For example, Hill cipher Utilize the concept of product cipher Shannon SPN Feistel cipher structure 55

56 Symmetric cryptosystems : modern techniques secure encryption schemes unconditionally secure/ computationally secure shannon and modern cryptography perfect secrecy and one time pad confusion and diffusion modern symmetric block encryption techniques introduction Feisted Network DES and its variants Blowfish RC5 56

57 Block Cipher Principles block ciphers look like an extremely large substitution would need table of 2 64 entries (each has 64 bits) for a 64-bit block instead create from smaller building blocks using idea of a product cipher most symmetric block ciphers are based on a Feistel Cipher Structure 57

58 Feistel Cipher Structure Horst Feistel devised the feistel cipher based on concept of invertible product cipher partitions input block into two halves process through multiple rounds which perform a substitution on left data half based on round function of right half & subkey then have permutation swapping halves implements Shannon s substitution-permutation network concept 58

59 Feistel Cipher Structure 59

60 Feistel Cipher Design Principles block size increasing size improves security, but slows cipher key size increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds increasing number improves security, but slows cipher subkey generation greater complexity can make analysis harder, but slows cipher round function greater complexity can make analysis harder, but slows cipher 60

61 Feistel Cipher Design Principles fast software en/decryption & ease of analysis are more recent concerns for practical use and testing 61

62 Feistel Cipher Decryption 62

63 Symmetric cryptosystems : modern techniques secure encryption schemes unconditionally secure/ computationally secure shannon and modern cryptography perfect secrecy and one time pad confusion and diffusion modern symmetric block encryption techniques introduction Feisted Network DES and its variants Blowfish RC5 63

64 Data Encryption Standard (DES) most widely used block cipher in world adopted in 1977 by NBS (now NIST) as FIPS PUB 46 encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security 64

65 DES History IBM developed Lucifer cipher by team led by Feistel used 64-bit data blocks with 128-bit key then redeveloped as a commercial cipher with input from NSA and others in 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES 65

66 DES Design Controversy although DES standard is public was considerable controversy over design in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified subsequent events and public analysis show in fact design was appropriate DES has become widely used, esp in financial applications 66

67 DES Encryption 67

68 Initial Permutation IP first step of the data computation IP reorders the input data bits even bits to LH half, odd bits to RH half quite regular in structure (easy in h/w) see text Table 3.2 example: IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) Use blackboard 68

69 Permutation tables for DES (1/2) 69

70 DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as: L i = R i 1 R i = L i 1 xor F(R i 1, K i ) takes 32-bit R half and 48-bit subkey and: expands R to 48-bits using perm E adds to subkey passes through 8 S-boxes to get 32-bit result finally permutes this using 32-bit perm P 70

71 Permutation tables for DES (2/2) 71

72 72

73 DES Round Structure 73

74 Substitution Boxes S have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes outer bits 1 & 6 (row bits) select one rows inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key feature known as autoclaving (autokeying) example: S( d ) = 5fd25e03 Use blackboard 74

75 75

76 DES Key Schedule forms subkeys used in each round consists of: initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves 16 stages consisting of: selecting 24-bits from each half permuting them by PC2 for use in function f, rotating each half separately either 1 or 2 places depending on the key rotation schedule K 76

77 Table 3.2 DES Example (Table can be found on page 75 in textbook) 77 Note: DES subkeys are shown as eight 6-bit values in hex format

78 DES Decryption decrypt must unwind steps of data computation with Feistel design, do encryption steps again using subkeys in reverse order (SK16 SK1) note that IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round. 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value Use blackboard 78

79 Avalanche Effect key desirable property of encryption alg where a change of one input or key bit results in changing approx half output bits DES exhibits strong avalanche 79

80 Avalanche Effect Example 1: Two plaintexts that differ by one bit Key:

81 Avalanche Effect Example 1: Two plaintexts that differ by one bit Key: Example 2: Plaintext: Two keys that differ by one bit

82 Avalanche Effect in DES 82

83 Strength of DES Key Size 56-bit keys have 2 56 = 7.2 x values brute force search looks hard recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! still must be able to recognize plaintext now have alternatives to DES 83

84 Strength of DES Timing Attacks attacks actual implementation of cipher use knowledge of consequences of implementation to derive knowledge of some/all subkey bits specifically use fact that calculations can take varying times depending on the value of the inputs to it particularly problematic on smartcards 84

85 Strength of DES Analytic Attacks now have several analytic attacks on DES these utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest generally these are statistical attacks include differential cryptanalysis linear cryptanalysis related key attacks 85

86 Differential Cryptanalysis Markov Ciphers and Differential Cryptanalysis (1991) J. Lai, J. L. Massey, S. Murphy. Main idea: This is a chosen plaintext attack, assumes than an attacker knows (plaintext, ciphertext) pairs Difference P = P 1 P 2, C = C 1 C 2 Distribution of C s given P may reveal information about the key (certain key bits) After finding several bits, use brute-force for the rest of the bits to find the key. 86

87 Differential Cryptanalysis of DES Surprisingly DES was resistant to differential cryptanalysis. At the time DES was designed, the authors knew about differential cryptanalysis. S-boxes were designed to resist differential cryptanalysis. Against 8-round DES, attack requires 2 38 known plaintext-ciphertext pairs. Against 16-round DES, attack requires 2 47 chosen plaintexts. Differential cryptanalysis not effective against DES!!! 87

88 Linear Cryptanalysis of DES Another attack described in 1993 M. Matsui Instead of looking for isolated points at which a block cipher behaves like something simpler, it involves trying to create a simpler approximation to the block cipher as a whole. It is an attack that can be applied to an iterated cipher. 88

89 Basic idea of linear cryptanalysis Suppose that (*) Pr [ M i1 M i2 M iu C j1 C j2 C jv K p1 k p2 k pw =1] = Then one can recover some key bits given large number of PT/CT pairs For DES, exists (*) with =2-21 Using this method, one can find 14 key bits using (2 21 ) 2 PT/CT pairs 89

90 Linear Cryptanalysis of DES M. Matsui showed (1993/1994) that DES can be broke: 8 rounds: 2 21 known plaintext 16 rounds: 2 43 known plaintext, 40 days to generate the pairs (plaintext, ciphertext) and 10 days to find the key The attack has no practical implication, requires too many pairs. The key size remains the main attack point. 90

91 DES Strength Against Various Attacks Attack Method Known Chosen Storage complexity Processing complexity Exhaustive precomputation (table lookup) Exhaustive search 1 - negligible 2 55 Linear cryptanalysis For texts Differential cryptanalysis For texts The weakest point of DES remains the size of the key (56 bits)! 91

92 DES Variants clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search attacks AES is a new cipher alternative prior to this alternative was to use multiple encryption with DES implementations 92

93 Double DES 93

94 Triple DES 94

95 Why Triple-DES? why not Double-DES? NOT same as some other single-des use, but have meet-in-the-middle attack works whenever use a cipher twice since X = E K1 [P] = D K2 [C] attack by encrypting P with all keys and store then decrypt C with keys and match X value can show takes O(2 56 ) steps Use blackboard 95

96 Triple-DES with Two-Keys hence must use 3 encryptions would seem to need 3 distinct keys but can use 2 keys with E-D-E sequence C = E K1 [D K2 [E K1 [P]]] encrypt & decrypt equivalent in security if K1=K2 then can work with single DES standardized in ANSI X9.17 & ISO8732 no current known practical attacks 96

97 Triple-DES with Three-Keys although are no practical attacks on two-key Triple-DES have some indications can use Triple-DES with Three-Keys to avoid even these C = E K3 [D K2 [E K1 [P]]] has been adopted by some Internet applications, eg PGP, S/MIME 97

98 Question? 98