Chap. 3. Symmetric Key Crypto (Block Ciphers)

Transcription

1 Introduction to SW Security Chap. 3. Symmetric Key Crypto (Block Ciphers) Spring, 28 Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr

2 Many slides taken from Textbook (Its site), and Web sites Textbook M. T. Goodrich and R. Tamassia, Introduction to Computer Security, Pearson (Addison-Wesley) page?isbn= &forced_logout=forced_logged_out Many photos in presentation licensed from google images or wikipedia 2

3 Contents Symmetric Key Crypto Block cipher DES (Data Encryption Standard) AES (Advanced Encryption Standard) : Rijndael (rain-dahl) Block cipher modes of operation Stream cipher 3

4 Learning Objectives After studying this, you should be able to: Explain the basic operation of symmetric block encryption algorithms Describe the structure and function of AES Distinguish among the major block cipher modes of operation Understand its inner working and uses Focus more on the how than the why To understand : why -> need to understand cryptanalysis (Chapter 6) Discuss the issues involved in key distribution 4

5 Block Cipher Plaintext and Ciphertext consists of fixed sized blocks Design goal: security and efficiency It is not easy to design a block cipher that is secure and efficient Block cipher key determines a electronic codebook Each key yields a different codebook Employ both confusion and diffusion Example of Block ciphers DES, AES, SEED, Blowfish, RC6 International Data Encryption Algorithm (IEDA) 5

6 Block Ciphers Blocks of letters encrypted simultaneously Many modern cryptosystems (AES, RSA) are also block ciphers In a block cipher: Plaintext and ciphertext have fixed length b (e.g., 128 bits) A plaintext of length n is partitioned into a sequence of m blocks, P[0],, P[m 1], where n b*m n + b Each message is divided into a sequence of blocks and encrypted or decrypted in terms of its blocks. Plaintext Requires padding with extra bits. Blocks of plaintext 6

7 (Iterated) Block Cipher Ciphertext obtained from plaintext by iterating a round function Input to round function consists of key and the output of previous round Usually implemented in software Typical Type is Feistel Cipher 7

8 Feistel Cipher Feistel cipher refers to a type of block cipher design, not a specific cipher Split plaintext block into left and right halves: Plaintext = (L 0,R 0 ) For each round i=1,2,...,n, compute L i = R i 1 R i = L i 1 F(R i 1,K i ) where F is round function and K i is subkey Ciphertext = (L n,r n ) Decryption: Ciphertext = (L n,r n ) For each round i=n,n 1,,1, compute R i 1 = L i L i 1 = R i F(R i 1,K i ) where F is round function and K i is subkey Plaintext = (L 0,R 0 ) Formula works for any function F But only secure for certain functions F Ex: F(R i-1, K i ) = 0 for all R i-1 and K i -> not secure 8

9 Padding Block ciphers require the length n of the plaintext to be a multiple of the block size b Padding the last block needs to be unambiguous (cannot just add zeroes) When the block size and plaintext length are a multiple of 8, a common padding method (PKCS5) is a sequence of identical bytes, each indicating the length (in bytes) of the padding Example for b = 128 bits (16 bytes) Plaintext: Roberto (7 bytes) Padded plaintext: Roberto (16 bytes), where 9 denotes the number and not the character We need to always pad the last block, which may consist only of padding 9

10 Block Ciphers in Practice Data Encryption Standard (DES) Developed by IBM and adopted by NIST in 1977 Based on IBM Lucifer cipher DES is a Feistel cipher 64-bit blocks and 56-bit keys 16 rounds 48 bits of key used each round (subkey) Security depends primarily on S-boxes Each S-boxes maps 6 bits to 4 bits Total 8 S-boxes Small key space makes exhaustive search attack feasible since late 90s

11 One Round of DES L R key expand L Compress R S-boxes(8) 32 P Box L R 32 key Next Slide

12 DES S-box 8 substitution boxes or S-boxes Each S-box maps 6 bits to 4 bits S-box number 1 input bits (0,5) input bits (1,2,3,4)

13 Security of DES Security of DES depends a lot on S-boxes Everything else in DES is linear Thirty years of intense analysis has revealed no back door Attacks today use exhaustive key search Inescapable conclusions Designers of DES knew what they were doing Designers of DES were ahead of their time 13

14 Block Ciphers in Practice Triple DES (3DES) Nested application of DES with three different keys KA, KB, and KC Effective key length is 168 bits, making exhaustive search attacks unfeasible C = E KC (D KB (E KA (P))); P = D KA (E KB (D KC (C))) Equivalent to DES when KA=KB=KC (backward compatible) But practically, Triple DES is C = E(D(E(P,K 1 ),K 2 ),K 1 ) P = D(E(D(C,K 1 ),K 2 ),K 1 ) (2 bit key) Advanced Encryption Standard (AES) Selected by NIST in 20 through open international competition and public discussion 128-bit blocks and several possible key lengths: 128, 192 and 256 bits Exhaustive search attack not currently possible AES-256 is the symmetric encryption algorithm of choice 14

15 DES vs. AES Date? 15

16 Triple DES 16

17 Advanced Encryption Standard (AES) AES animation:

18 AES Crypt A file encryption software available on several operating systems that uses the industry standard AES to easily and securely encrypt files. You do not need to be an expert to use AES Crypt, nor do you need to understand cryptography. Using a powerful 256-bit encryption algorithm, AES Crypt can safely secure your most sensitive files. AES Crypt is completely free open source software 18

19 How was AES created? DES was broken: Key size is too small Brute force attack is possible Attacked by exhaustive key search: Special purpose DES crackers and distributed attack at internet Triple-DES is very resistant to crypto analysis but, No efficient software code Too slow: 3 times as many rounds as DES 3DES use 64-bit block size: for reasons of both efficient and security, a larger block size desirable So, 3DES is not solution for long-term use In 1997, NIST made a formal call for advanced encryption standard algorithms 19

20 How was AES created? Goal: replace DES for both government and private sector encryption AES Competition Requirements Unclassified, publicly disclosed encryption algorithm, available royaltyfree, worldwide. Private key symmetric block cipher Block sizes of 128-bits, 128/192/256-bit keys Stronger & faster than Triple-DES Provide full specification & design details Both C & Java implementations 15 candidates accepted in Jun 98 5 were shortlisted in Aug 99 Rijndael, MARS, RC6, Serpent, Twofish 20

21 AES Evaluation Criteria initial criteria: security effort for practical cryptanalysis Resistance to cryptanalysis, soundness of math, randomness of output, etc. Speed in terms of computational efficiency (cost) and memory requirements algorithm & implementation characteristics Flexibility, hardware & software suitability, algorithm simplicity final criteria general security: 3 년의평가기간동안암호학계에서수행된보안성분석 ease of software & hardware implementation implementation attacks 시간공격 : 컴퓨터가메시지를해독하는데걸리는시간을추적유지하여키결정 전력분석공격 : 특정시간에소비한전력은처리되는데이터에관련됨 (1 을 write 하는것이 0 을 write 하는것보다많은전력소비 ) flexibility (in en/decrypt, keying, other factors) 키와블록크기에대한지원의용이성 새로운공격에대응하는라운드횟수의증가용이성 21

22 Comparison of AES, 3DES and DES 22

23 The AES Cipher - Rijndael Rijndael (rain-dahl) was selected as the AES in Oct-20 Designed by Vincent Rijmen ( 빈센트라이먼 ) and Joan Daemen ( 존데이먼 ) in Belgium Issued as FIPS PUB 197 standard in Nov-20 An iterative rather than Feistel cipher Iterated block cipher (like DES) Not a Feistel cipher (unlike DES) processes data as block of 4 columns of 4 bytes (128 bits) operates on entire data block in every round Plaintext (128 bits) AES Key ( bits) Ciphertext (128 bits) 23

24 The Advanced Encryption Standard (AES) AES is a block cipher that operates on 128-bit blocks. Key size of 128-, 192-, or 256-bits Variable number of rounds (, 12, 14): if B = K = 128 bits 12 if either B or K is 192 and the other is if either B or K is 256 bits 128-bit round key used for each round: 128 bits = 16 bytes = 4 words needs Nr+1 round keys for Nr rounds needs 44 words for 128-bit key ( rounds) 24

25 AES Round Structure The 128-bit version of the AES encryption algorithm proceeds in ten rounds. Each round performs an invertible transformation on a 128-bit array, called state. State: 4X4 array of bytes 128 bits = 16 bytes The initial state X 0 is the XOR of the plaintext P with the key K: X 0 = P XOR K. Round i (i = 1,, ) receives state X i-1 as input and produces state X i. The ciphertext C is the output of the final round: C = X. 25

26 Overall Structure 26

27 AES Overview Each round uses 4 functions (in 3 layers ) 4 functions: 1 of permutation and 3 substitutions 3 layers: Linear, Nonlinear and Key addition Permutation Linear mixing layer: ShiftRow (State) Substitutions Nonlinear layer: SubBytes (State, S-box) Nonlinear layer: MixColumn (State) Key addition layer: AddRoundKey (State, KeyNr) 27

28 Multiple Rounds Rounds are (almost) identical First and last round are a little different AES parameters Nb Number of columns in the State Nb = 4 Nk Number of 32- bit words in the Key Nk = 4, 6, or 8 Nr Number of rounds (function of Nb and Nk) Nr =, 12, or bits = 16 bytes = 4-by-4 table of bytes = 4 words (1 word= 4 bytes) 28

29 Data Unit 128 bits = 16 bytes = 4-by-4 table of bytes = 4 words (1 word= 4 bytes) 29

30 High level description Key Expansion Round keys are derived from the cipher key using Rijndael's key schedule Initial Round AddRoundKey : Each byte of the state is combined with the round key using bitwise xor Rounds Final Round SubBytes : non-linear substitution step ShiftRows : transposition step MixColumns : mixing operation of each column. AddRoundKey SubBytes ShiftRows AddRoundKey Changing Plaintext to State: 1 block = 128 bits = 16 bytes = a 4-by-4 array of states Total 16 states: each state s i,j = 8 bits = 1 byte 30

31 AES: High-Level Description State: 4 X 4 array of bytes: 128 bits = 16 bytes State = X AddRoundKey(State, Key0) for r = 1 to Nr - 1 SubBytes(State, S-box) ShiftRows(State) MixColumns(State) AddRoundKey(State, KeyNr) endfor SubBytes(State, S-box) ShiftRows(State) AddRoundKey(State, KeyNr) Y = State (op1) (op2) (op3) (op4) 31

32 Changing Plaintext to State 128 bits = 16 bytes = 16 states = 4 words 32

33 Each Round Each round is built from four basic steps: 1. SubBytes step: an S-box substitution step 2. ShiftRows step: a permutation step 3. MixColumns step: a matrix multiplication step 4. AddRoundKey step: an XOR step with a round key derived from the 128-bit encryption key 33

34 1. SubBytes step The SubBytes operation involves 16 independent byte-to-byte transformations. S 1,1 = xy 16 Interpret the byte as two hexadecimal digits xy SW implementation, use row (x) and column (y) as lookup pointer CC DD AA EE BB FF 34

35 1. SubBytes step Replace each byte in the state array with its corresponding value from the S-Box There is an InvSubBytes Table for decryption The SubBytes and InvSubBytes transformations are inverses of each other 35

36 AES S-box Example: 0x53 is replaced with 0xED Last 4 bits of input First 4 bits of input 36

37 2. ShifRows step Shifting, which permutes the bytes. A circular byte shift in each each 1 st row is unchanged 2 nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left In the encryption, the transformation is called ShiftRows In the decryption, the transformation is called InvShiftRows and the shifting is to the right 37

38 2. ShifRows step ShiftRows and InvShiftRows 38

39 3. MixColumns step ShiftRows and MixColumns provide diffusion to the cipher Each column is processed separately Each byte is replaced by a value dependent on all 4 bytes in the column Effectively a matrix multiplication in GF(2 8 ) using prime poly m(x) =x 8 +x 4 +x 3 +x+1 39

40 3. MixColumns step The MixColumns transformation operates at the column level; it transforms each column of the state to a new column. S 0,c = ({02} S 0,c ) ({03} S 1,c ) S 2,c S 3,c S 1,c = S 0,c ({02} S 1,c ) ({03} S 2,c ) S 3,c S 2,c = S 0,c S 1,c ({02} S 2,c ) ({03} S 3,c ) S 3,c = ({03} S 0,c ) S 1,c S 2,c ({02} S 3,c 40

41 4. AddRoundKey XOR state with 128-bits of the RoundKey (Subkey) RoundKey (subkey) determined by key schedule algorithm takes 128-bits (16-bytes) key and expands into array of bit words AddRoundKey proceeds one column at a time. adds a round key word with each state column matrix the operation is matrix addition Inverse for decryption identical since XOR own inverse, with reversed keys 41

42 4. AddRoundKey Example of expansion of a 128-bit cipher key Cipher key = 2b7e151628aed2a6abf cf4f3c w0=2b7e1516 w1=28aed2a6 w2=abf71588 w3=09cf4f3c 42

43 Key Expansion Scheme takes 128-bits (16-bytes) key and expands into array of bit words 43

44 Key Expansion Scheme 라운드상수 각라운드상수 RCon 은 4 바이트값으로오른쪽의 3 바이트는 0 [ 표 ] 각라운드에서사용하는상수값 RCon 44

45 AES Round Summary 45

46 AES Decryption To decrypt, process must be invertible Inverse of AddRoundKey is easy, since is its own inverse MixColumn is invertible (inverse is also implemented as a lookup table) Inverse of ShiftRow is easy (cyclic shift the other direction) SubBytes is invertible (inverse is also implemented as a lookup table) 46

47 AES Design Rationale Substitute Bytes To be resistant to known cryptanalytic attacks by making a low correlation between input bits and output bits. Shift Row Note input and output are treated as State(4X4 array) To move an individual byte from one column to another Mix Column To ensure a good mixing the bytes of each column Add Round Key To affect every bit of State The complexity of the round key expension ensure security 47

48 Block cipher modes of operation ECB / CBC / CFB / OFB / CTR 48

49 Symmetric cipher encryption How to encrypt multiple blocks? A new key for each block? As bad as (or worse than) a one-time pad! Encrypt each block independently? Make encryption depend on previous block(s), i.e., chain the blocks together? How to handle partial blocks? 49

50 Mode of operation of Block Cipher 블록암호는특정한길이의블록단위로동작하기때문에, 가변길이데이터를암호화하기위해서는먼저이들을단위블록들로나누어야하며, 그리고그블록들을어떻게암호화할지를정해야하는데, 이때블록들의암호화방식을운용모드라고부른다 Block: a fixed-length data A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block 평문의길이가블록암호의블록크기보다클경우에는어떻게블록암호를적용할것인가? 이런문제점을해결하고다양한응용환경하에적절한암호화도구로사용할수있는여러유형의효율적인운영방식들을제시하고있다. 이러한방식들을블록암호모드라고한다. 50

51 Modes of Operations Block Cipher Modes The way a block cipher encrypts and decrypts a sequence of message blocks. Many encryption ways (modes of operation) for multiple block cipher Mode of operation of Block cipher Electronic Codebook (ECB) mode Encrypt each block independently Cipher-Block Chaining (CBC) mode Chain the blocks together More secure than ECB, virtually no extra work Cipher-Feedback (CFB) mode Output Feedback (OFB) mode Counter (CTR) mode Popular for random access Data integrity of block cipher Message Authentication code (MAC) 51

52 ECB Mode Electronic Code Book (ECB) Mode (is the simplest): Block P[i] encrypted into ciphertext block C[i] = E K (P[i]) Block C[i] decrypted into plaintext block M[i] = D K (C[i]) Public domain images from and 52

53 ECB Cut and Paste Attack Suppose plaintext is Alice digs Bob. Trudy digs Tom. Assuming 64-bit blocks and 8-bit ASCII: P 0 = Alice di, P 1 = gs Bob., P 2 = Trudy di, P 3 = gs Tom. Ciphertext: C 0, C 1, C 2, C 3 Trudy cuts and pastes attack: C 0, C 3, C 2, C 1 Decrypts as Alice digs Tom. Trudy digs Bob. 53

54 EBC Weakness Suppose P i = P j Then C i = C j and Trudy knows P i = P j This gives Trudy some information, even if she does not know P i or P j We should not give the cryptanalyst anything for free. Trudy might know P i Alice s original image & Alice s encrypted image Why does this happen? Same plaintext block Same ciphertext! 54

55 Strengths and Weaknesses of ECB Strengths: Is very simple Allows for parallel encryptions of the blocks of a plaintext Can tolerate the loss or damage of a block Weakness: 동일한평문블록이동일한암호문블록으로나타남 Documents and images are not suitable for ECB encryption since patters in the plaintext are repeated in the ciphertext: 암호문을보면평문속에패턴이반복됨을알수있음 블록위치변조공격가능 : 공격자가암호문블록을서로변경할경우, 수신자가모를수있음 55

56 Cipher Block Chaining (CBC) Mode Blocks are chained together The previous ciphertext block is combined with the current plaintext block C[i] = E K (C[i 1] P[i]) C[ 1] = IV, is random initialization vector, but need not be secret Decryption: P[i] = C[i 1] D K (C[i]) 암호문블록이 1개파손되었다면, 암호문블록의길이가바뀌지않는다면복호화했을때에평문블록에미치는영향은 2개블록에한정됨 CBC Encryption: CBC Decryption: P[0] P[1] P[2] P[3] P[0] P[1] P[2] P[3] IV IV E K E K E K E K D K D K D K D K C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3] 56

57 Strengths and Weaknesses of CBC Strengths: Identical plaintext blocks yield different ciphertext blocks Doesn t show patterns in the plaintext the most common mode fast and relatively simple Weaknesses: CBC requires the reliable transmission of all the blocks sequentially It cannot be parallelized CBC is not suitable for applications that allow packet losses (e.g., music and video streaming) Cut and paste is still possible, but more complex (and will cause garbles) If C 1 is garbled to, say, G then P 1 C 0 D(G, K), P 2 G D(C 2, K) But P 3 = C 2 D(C 3, K), P 4 = C 3 D(C 4, K), Automatically recovers from errors! 57

58 Counter (CTR) mode CTR is popular for random access Every step of encryption and decryption can be in parallel We perform encryption through an exclusive-or with a generated pad We start with a random seed, Counter (= IV) 58

59 Java AES Encryption Example Source Generate an AES key KeyGenerator keygen = KeyGenerator.getInstance("AES"); SecretKey aeskey = keygen.generatekey(); Create a cipher object for AES in ECB mode and PKCS5 padding Encrypt Decrypt Cipher aescipher; aescipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); aescipher.init(cipher.encrypt_mode, aeskey); byte[] plaintext = "My secret message".getbytes(); byte[] ciphertext = aescipher.dofinal(plaintext); aescipher.init(cipher.decrypt_mode, aeskey); byte[] plaintext1 = aescipher.dofinal(ciphertext); 59

60 Libraries Implementation Company Development source Description Libgcrypt OpenSSL GnuPG community and gcode The OpenSSL Project C C al/libgcrypt.html libmcrypt C Replacement for the old crypt() package. mcrypt (3) Linux man page MCRYPT mcrypt_module_open( char *algorithm, char* algorithm_directory, char* mode, char* mode_directory); int mcrypt_generic_init( MCRYPT td, void *key, int lenofkey, void *IV); int mcrypt_generic( MCRYPT td, void *plaintext, int len); int mdecrypt_generic( MCRYPT td, void *ciphertext, int len); int mcrypt_generic_end( MCRYPT td); int mcrypt_generic_deinit( MCRYPT td); 60

61 Summary Encryption provides confidentiality AES was designed after DES. The algorithms used in AES are so simple that they can be easily implemented using cheap processors and a minimum amount of memory. Most of the known attacks on DES were already tested on AES. Brute-Force Attack AES is definitely more secure than DES due to the larger-size key. Statistical Attacks Numerous tests have failed to do statistical analysis of the ciphertext 61 Computer Security & OS Lab , S 15