ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Transcription

1 (a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two types: (1) block ciphers encrypt/decrypt large block of bits as a group (2) stream ciphers encrypt/decrypt each bit (or a small number of bits) separately - most classical ciphers are stream ciphers and operate on one character (~ few bits) results in many of trivial attacks we have discussed Block Ciphers - 1

2 - one aspect to improving security and efficiency would be to have the encryption operation execute on blocks of plaintext bits (eg. 64 bit or 128 bit block) this is somewhat of a false generalization since one-time pad and stream ciphers can encrypt one bit at a time - best known block ciphers: Historical: Data Encryption Standard (DES) 64-bit block with 56-bit key most applied cipher from late '70s to early 2000s Modern: Advanced Encryption Standard (AES) 128-bit block with 128, 192, or 256-bit key most applied cipher today - Shannon (1949): ciphers can be constructed by taking product of 2 ciphers eg. e!!,!! x = e!! (e!! x ) if done carefully, product is more secure than base ciphers - block ciphers use Shannon's concept by using many rounds of simple cryptographic operations so that security is obtained eg. simple Substitution-Permutation Network block cipher Block Ciphers - 2

3 (b) Substitution-Permutation Network (SPN) Block Ciphers - 3

4 - SPN is a simple model of a block cipher incorporating fundamentals of DES and AES simple SPN is popular in lightweight (i.e., low complexity) ciphers targeted to embedded systems such as RFID tags and wireless sensor network devices - Shannon's principles: confusion complex mathematical relationship (eg. nonlinear) between plaintext and ciphertext diffusion local effect in plaintext block spread across all ciphertext bits Components of SPN (1) S-box (substitution) confusion S: {0, 1} m {0, 1} m m-bit one-to-one mapping 4 4 S-box mapping (i.e., m = 4) in hex: input A B C D E F output E 4 D 1 2 F B 8 3 A 6 C Block Ciphers - 4

5 (2) Permutation (transposition of bits) diffusion π P : {1,, N} {1,, N} where N is block size transposes bits between S-box output in one round to S-box input in next round 16 bit permutation: input bit position output bit position (3) Key Mixing - each round must have round key mixed with data - round keys derived from cipher key algorithm to do so called key schedule, which often uses substitutions and/or permutations (key schedule not shown in SPN figure on p. 3) - round keys typically mixed with, or added to, cipher data by using bit-by-bit XOR Block Ciphers - 5

6 General Comments - example 16-bit SPN is a "toy" cipher using chosen plaintext attack could easily build a table of 2 16 ciphertext values indexed by plaintext values for a cipher with a given key under attack practically secure block sizes are at least 64 bits practical ciphers typically use either 4 4 S-boxes (lightweight ciphers) or 8 8 S-boxes (eg. AES) - SPN structure is simple and easy to implement in hardware and software - can have same S-box mapping for every S-box in round (eg. AES) or different S-box mappings for each S-box in a round (eg. DES) - AES is similar to SPN structure 8 8 S-boxes, 128-bit block 16 S-boxes per round linear transformation used between S-box layers instead of permutation 128-bit key version of AES uses 10 rounds - in SPN, last round must be followed by round key mixing or it would be trivial to remove last layer of S-boxes in attack - decryption is equivalent to going backwards through cipher and can be performed using same structure as encryption except: (1) inverse S-boxes must be used (2) round keys applied in reverse order of rounds (3) placement of round key bits must be moved around Block Ciphers - 6

7 (c) Linear Cryptanalysis Reference: - we shall consider a simple version of the attack which targets linear approximations of plaintext and ciphertext subsets - linear expression to be exploited is of form (LA) - for example: linear approximation of cipher Block Ciphers - 7

8 - let p L be defined as the probability that (LA) holds Example: if {x i }, {y j } are independent random variables that are equally likely to be 0 or 1, probability that (LA) holds is p L = ½ linear cryptanalysis exploits an expression like (LA) for which p L ½ - assume x 3 x 7 x 11 y 4 y 12 Σ k = 0 holds with probability of p L =.5327 where Σ k is an XOR sum of some round key bits x 3 x 7 x 11 y 4 y 12 = Σ k holds with probability of p L = if we captured known plaintexts from 3 systems (i.e., one block cipher with 3 different keys), how should we interpret the following? System #(x 3 x 7 x 11 y 4 y 12 = 0) #(x 3 x 7 x 11 y 4 y 12 = 1) Probable value of Σ k Block Ciphers - 8

9 - so we can use (1) our knowledge of a linear approximation involving plaintext, ciphertext, and key bits and (2) captured information from the system (known plaintext and corresponding ciphertext) to determine the XOR sum of a number of key bits this is equivalent to finding one bit of key and using numerous such approximations, we can find more key bits (or their equivalent) But how does a cryptanalyst determine such linear approximations? by concatenating linear approximations of S-boxes and approximation of p L determined using piling-up lemma Piling-Up Lemma - consider 2 independent binary random variables X 1 and X 2 where - now Block Ciphers - 9

10 - define ε 1 to be bias of X 1 p 1 = ½ + ε 1 leading to ε 2 to be bias of X 2 p 2 = ½ + ε 2 - similarly - in general, let ε 1, 2,, n represent bias of random variable X 1 X 2 X n where X 1, X 2, are all independent with biases ε 1, ε 2, ε 1, 2,, n = Piling-Up Lemma - note that if ε i = 0, for any i, (i.e., p i = ½) ε 1, 2,, n = 0 Block Ciphers - 10

11 Deriving a Cipher Linear Approximation - consider the following cipher construction - assume that the following linear approximations are known u 3 u 7 u 11 v 2 v 9 v 12 v 15 = 0 with prob = (L1) w 2 w 9 w 12 w 15 z 4 z 12 = 0 with prob = (L2) Block Ciphers - 11

12 - so (L1) becomes (x 3 k r1,3 ) (x 7 k r1,7) (x 11 k r1,11) v 2 v 9 v 12 v 15 = 0 since u 3 = x 3 k 1,3 u 7 = x 7 k 1,7 u 11 = x 11 k 1,11 and (L2) becomes (v 2 k r2,2 ) (v 9 k r2,9 ) (v 12 k r2,12 ) (v 15 k r2,15 ) (y 4 k r3,4 ) (y 12 k r3,12 ) = 0 since w 2 = v 2 k r2,2 w 9 = v 9 k r2,9 w 12 = v 12 k r2,12 w 15 = v 15 k r2,15 and y 4 = z 4 k 3,4 z 4 = y 4 k 3,4 y 12 = z 12 k r3,12 z 12 = y 12 k r3,12 - now, L1 L2 gives [(x 3 k r1,3 ) (x 7 k r1,7 ) (x 11 k r1,11 ) v 2 v 9 v 12 v 15 ] [(v 2 k r2,2 ) (v 9 k r2,9 ) (v 12 k r2,12 ) (v 15 k r2,15 ) (y 4 k r3,4 ) (y 12 k r3,12 )] = 0 0 x 3 x 7 x 11 y 4 y 12 Σ k = 0 where Σ k = k r1,3 k r1,7 k r1,11 k r2,2 k r2,9 k r2,12 k r2,15 k r3,4 k r3,12 with a probability bias of ε L = 2 (.625.5)( ) = (using piling-up lemma, with n = 2) p L = for the overall approximation Block Ciphers - 12

13 - Matsui in original paper on linear cryptanalysis of DES shows that required number of known plaintext/ciphertext pairs, N P, needed to distinguish a non-zero bias and thus determine the key XOR sum given by N P where c is small constant (eg. c = 10) - hence, in this case where ε L = = , we might expect N P plaintexts to attack cipher Linear Approximations of S-boxes - to construct good linear approximations must examine S-boxes (only nonlinear component in SPN) Consider SPN based on 4 4 S-box with mapping input A B C D E F output E 4 D 1 2 F B 8 3 A 6 C from binary truth table of S-box can determine bias of any linear approximation for S-box probability that approximation holds = number of rows where it holds / total number of rows Block Ciphers - 13

14 X 1 X 2 X 3 X 4 Y 1 Y 2 Y 3 Y 4 X 2 X 3 Y 1 Y 3 Y 4 X 1 X 4 Y 2 X 3 X Y 1 Y 4 eg. - we can determine the linear approximation corresponding to all = 256 possible combinations of input and output bits and thus determine high biases to be used in linear attack - S-box approximations can be combined to determine good cipher approximation with probability derived by piling-up lemma based on assumption that each S-box approximation is independent of other S-box approximations This is not strictly true, but works as a good estimate! Block Ciphers - 14

15 (d) Advanced Encryption Standard (AES) - cipher Rijndael accepted as AES standard in 2001 will be the most significant cipher for years to come - selected on basis of security (no successful attacks are known to exist) and efficiency (both in hardware and software implementations) - basic concept: SPN with permutation layer replaced with linear transformation where a linear transformation is defined such that each output bit of the operation is given by the XOR of a subset of input bits - AES parameters: block size = 128 bits key size = 128, 192, 256 bits # rounds = 10, 12, 14 depending on key size S-boxes all use the same 8 8 mapping - designed to be resistant to linear and differential attacks by (1) careful selection of S-box mapping (2) application of linear transformation instead of permutation increases diffusion and forces more active S-boxes for both linear and differential cryptanalysis Block Ciphers - 15

16 Aside: Finite Fields - finite fields appear frequently in cryptography - informally, finite field is defined as a finite set of elements and operations addition and multiplication such that we can do addition and multiplication (and also subtract and divide) without leaving the set - Note: additive inverse: a + b = 0 multiplicate inverse: a b = 1 b = a i.e., b is inverse of a b = a 1 i.e., b is inverse of a subtraction: a b a + ( b) division: a / b a b 1 - in a finite field, all elements (except 0) must have additive and multiplicative inverse additive inverse of 0 is 0, multiplicative inverse of 0 does not exist eg. Z!! = {0, 1, 2,, 10} with addition and multiplication modulo-11 is a finite field for all a Z!! (except 0): a = 11 a and a 1 exists because gcd(a, 11) = 1 (i.e., all elements of Z!!, except 0, relatively prime to 11 since 11 is prime) Block Ciphers - 16

17 eg. Z!" = {0, 1, 2,, 25} with addition and multiplication modulo-26 is not a finite field for all a Z!" (except 0): a = 26 a but a 1 does not necessarily exist 13 1 is undefined since gcd(13, 26) 1 cannot always divide eg. 11/13 =? - in general as previously noted, a 1 can be determined using extended Euclidean algorithm (to come) - in general, can easily define a finite field of order p, where p is prime, which we represent as GF(p) after Galois GF(p): p elements Z! = {0, 1, 2,, p 1} with +, executed modulo-p - in computers, it is convenient to represent data in binary form eg. n bits 2 n different values Can we define GF(2 n )? eg. GF(2 3 ) cannot use Z! and modulo math since a 1 does not exist for all a Z! not a finite field - consider representing an n-bit vector as a polynomial where represents bits of vector Block Ciphers - 17

18 addition/multiplication of polynomial operates on coefficients in GF(2) (i.e., addition is modulo-2) eg. GF(2 n ): - represent 2 n n-bit vectors as polynomials 2 n elements in the field - +, using modulo-2 math for co-efficients - if polynomial has degree > n 1, reduce using an irreducible polynomial m(x) of degree n i.e., m(x) cannot be factored eg. GF(2 3 ) using m(x) = x 3 + x + 1 Note: additive and multiplicative inverses exist for all elements of GF(2 3 ) except 000. Block Ciphers - 18

19 Consider Block Ciphers - 19

20 Back to AES (with figures from Stallings) Structure: 128 bit block 4 4 array of bytes bit round keys required 44 round (sub) keys of 32 bits Block Ciphers - 20

21 Substitute Byte Transformation: S-box: x y A B C D E F C 77 7B F2 6B 6F C B FE D7 AB 76 1 CA 82 C9 7D FA F0 AD D4 A2 AF 9C A4 72 C0 2 B7 FD F F7 CC 34 A5 E5 F1 71 D C7 23 C A E2 EB 27 B C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF 6 D0 EF AA FB 43 4D F9 02 7F 50 3C 9F A A3 40 8F 92 9D 38 F5 BC B6 DA FF F3 D2 8 CD 0C 13 EC 5F C4 A7 7E 3D 64 5D F DC 22 2A EE B8 14 DE 5E 0B DB A E0 32 3A 0A C C2 D3 AC E4 79 B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08 C BA E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A D 70 3E B F6 0E B9 86 C1 1D 9E E E1 F D9 8E 94 9B 1E 87 E9 CE DF F 8C A1 89 0D BF E D 0F B0 54 BB 16 Inverse S-box: x y A B C D E F A D A5 38 BF 40 A3 9E 81 F3 D7 FB 1 7C E B 2F FF E C4 DE E9 CB B A6 C2 23 3D EE 4C 95 0B 42 FA C3 4E E A D9 24 B2 76 5B A2 49 6D 8B D F8 F D4 A4 5C CC 5D 65 B C FD ED B9 DA 5E A7 8D 9D D8 AB 00 8C BC D3 0A F7 E B8 B D0 2C 1E 8F CA 3F 0F 02 C1 AF BD A 6B 8 3A F 67 DC EA 97 F2 CF CE F0 B4 E AC E7 AD E2 F9 37 E8 1C 75 DF 6E A 47 F1 1A 71 1D 29 C5 89 6F B7 62 0E AA 18 BE 1B B FC 56 3E 4B C6 D A DB C0 FE 78 CD 5A F4 C 1F DD A C7 31 B EC 5F D F A9 19 B5 4A 0D 2D E5 7A 9F 93 C9 9C EF E A0 E0 3B 4D AE 2A F5 B0 C8 EB BB 3C F 17 2B 04 7E BA 77 D6 26 E C 7D Block Ciphers - 21

22 S-box structure: - overall S-box can simply be implemented as table lookup or Boolean function without regard to ( ) 1 and b( ) Block Ciphers - 22

23 b( ): Why ( ) 1? Why b( )? good cryptographic properties (eg. low biases for linear approximations) does not affect properties of ( ) 1 but ensures that math not all GF(2 8 ) Inverse S-box: properties similar to forward S-box Block Ciphers - 23

24 Example: Show that AES S-box input X = maps to output Y = 2A 16. Shift Row Transformation: - a circular byte shift row i rotates i 1 to left Block Ciphers - 24

25 Mix Column Transformation: - mixes data within columns of state array S using all math is done in GF(2 8 ) using m(x) = x 8 + x 4 + x 3 + x + 1 eg. Block Ciphers - 25

26 - note only 2 multiplications needed (2 and 3 ) and 3x = 2x + x so can we simply implement 2? YES! (*) Proof of (*): Block Ciphers - 26

27 Key Mixing: - subkeys "added" to data using bit-by-bit XOR - for 128-bit key, takes 128 bits as first subkey and produces new subkey by using operations such as (1) rotation of bit positions, (2) substitution (using S-box) on bytes, and (3) bitwise XOR with a constant Block Ciphers - 27

28 Complete AES Encryption Round: Block Ciphers - 28

29 Decryption: Block Ciphers - 29

30 (e) Modes of Operation of Block Ciphers - various ways exist to apply block ciphers when encrypting several blocks of data we focus on the 3 most applied: ECB, CBC, Counter Electronic Codebook Mode (ECB) - ECB = straightforward application of block cipher given sequence of n blocks of size N bits, n blocks of ciphertext generated by encrypting each block separately under same key - decryption takes each ciphertext block y i independently and produces plaintext block x i - problem: y i = y j x i = x j if attacker knows (x i, y i ) and then observes y j = y i plaintext x j revealed DO NOT USE ECB FOR GENERAL ENCRYPTION - application: secure transmission of single values (eg. encryption key during key distribution phase) Block Ciphers - 30

31 Cipher Block Chaining (CBC) - often used when encrypting large messages using block ciphers since it does not suffer from ECB problem assume encryption of n blocks of size N bits encryption decryption - initialization vector (IV) should be unique but does not need to be random or secret - cannot encrypt blocks in parallel, thereby preventing high speed implementations using parallelization or pipelining - applications: (1) general purpose block encryption (2) authentication (to come) Block Ciphers - 31

32 Counter (CTR) Mode - in counter mode, block cipher produces keystream which is XORed with plaintext keystream is a pseudorandom sequence of bits designed to mimic one-time pad Let z i represent m bit keystream character keystream z 1, z 2,, z n produced by using a counter register to drive the block cipher input, taking the block cipher output as the keystream - initial count loaded into counter register to produce 1st ciphertext does not need to be random or secret - count incremented every block - count should be periodically reinitialized (eg. every session), but so that count is never repeated Block Ciphers - 32

33 - typical count format could be the following: nonce is a number used once (eg. session number ) count likely initialized to 0 and then incremented for each block - plaintext encrypted in groups of m bits where 1 m N where N is block size of cipher - larger m more efficient encryption eg. m = 1 one block cipher operation required for every bit of ciphertext m = N one block cipher operation required for every N bits of ciphertext - plaintext size can be any length in bits regardless of value of m does not need to be multiple of block length N - one bit in error in received ciphertext (eg. due to noisy communications channel) one bit in error in recovered plaintext - transmitter and receiver keystreams must be synchronized What happens if synchronization lost? decryption messed up and must be resynchronized by resending IV through signaling channel lots of overhead Block Ciphers - 33

34 - block cipher decryption operation not needed important because AES can be more efficient for encryption due to inefficiencies in inverse mix columns and decryption key scheduling - applications: (1) stream-oriented transmission over noisy channels (2) general purpose block encryption Error Propagation of Block Cipher Modes - different modes react differently to a bit error, a common occurrence in a noisy communications channel - "error propagation" refers to the magnification effect caused by cipher system in response to a bit error in communications channel ECB: CBC: Counter: 1 error in channel entire block corrupted 1 error in channel 1 block + 1 bit in next block corrupted 1 error in channel 1 bit error in recovered plaintext Block Ciphers - 34

35 Aside: Stream Ciphers - another category of symmetric key ciphers not as accepted as block ciphers such as AES - stream ciphers operate on one bit at a time and are designed to mimic one-time pad using a keystream generator to generate a pseudorandom sequence of bits that is difficult to predict - dedicated stream cipher designs tend to be targeted to compact and/or high-speed hardware implementations key sizes usually small at 80 or 128 bits - plaintext can be any length in bits (i.e., not a multiple of a block) - some block cipher modes designed to configure block cipher to operate as stream cipher (eg. Counter mode) Aside: Motivation for Public Key Cryptography - symmetric key ciphers encryption key decryption key But how do we get key k at both ends of a communication if no secure channel exists? Solution: Asymmetric or Public Key Cryptography Block Ciphers - 35

36 Aside: The Padding Oracle Attack... A Cautionary Tale - application of cryptography can be trickier than you might think using secure methods inappropriately can break systems - consider "padding oracle attack" which applies to CBC mode when a particular padding approach is used to fill out blocks - can assume AES is the block cipher, although the attack does not care which cipher is used and does not exploit any weakness of AES, but rather a misuse of CBC mode - consider encryption of two blocks (which is 32 bytes = 256 bits) - one standardized approach: always have at least one byte of padding zero bytes not possible, so padding from 1 to 16 bytes last byte of padding is filled with a value equal to the number of padding bytes all padding bytes are filled with the same value as the last padding byte Block Ciphers - 36

37 - some examples of plaintext padding: 1 byte of padding: 2 bytes of padding: 3 bytes of padding: - this padding approach was taken by many applications including Transport Layer Protocol (TLS), the protocol that gives us secure web browsing "https" - the padding oracle attack targets a system using CBC with this padding approach, and exploits information from a server's response to received messages Assumptions: an attacker has intercepted a two block ciphertext to decrypt (which contains some amount of padding) although not being able to decrypt directly, the attacker can transmit any amount of ciphertext to a server, which would be the intended recipient of the ciphertext the attacker can modify the captured ciphertext and send as many modified versions of the ciphertext to the server as they want for each ciphertext, the server will respond with one of two possible acknowledgements: (1) padding good, (2) padding bad Block Ciphers - 37

38 Problem: the response from the server is a leakage of information that is contained in the ciphertext and can be used to decrypt the entire ciphertext! - consider decryption of second of 2 ciphertext blocks y 1 and y 2 (generated using CBC) to produce x 1 and x 2 Block Ciphers - 38

39 - let x 2,16 (y 2,16 ) represent last byte of x 2 (y 2 ) block x 2,16 = "01" server responds "padding good" x 2,16 > "01" server responds "padding good" only if other padding bytes are correct eg. x 2,16 = "02" results in "padding good" message only if x 2,15 = "02", otherwise "padding bad" sent - attacker submits to server block ciphertexts y 1 y 2 with (1) y 2 unchanged from original ciphertext (2) y 1 randomly selected to be y!! (3) y 1,16 replaced by r where r is given all possible 256 values Block Ciphers - 39

40 for most values of r, server responds "padding bad" let r represent value of r for which server responds "padding good" very likely corresponds to padding of one byte since, if, r T!" = "01", then "padding good" result certain very unlikely padding of more than one byte will look correct r T!" = "02", then "padding good" result only! if y!,!" T!" = "02", which is unlikely - so, we assume that "padding good" r T!" = "01" T!" = r "01" x!,!" = T!" y!,!" (so original plaintext x 2,16 can be derived where y!,!" is the original ciphertext) - of course, x 2,16 is a padding byte, so we now infer all the padding bytes from x 2 Block Ciphers - 40

41 How do we get non-padding bytes? - without loss of generality, assume that x 2,16 = "01" (i.e., one padding byte) - to obtain x 2,15 (the last non-padding byte), set y 1,16 to y!,!" so that y!,!" T!" = "02" (i.e., the server thinks there are two padding bytes) - now try all values r for y 1,15, until, for r = r, server returns "padding good" r T!" = "02" T!" = r "02" x!,!" = T!" y!,!" (so original plaintext x 2,15 can be derived where y!,!" is the original ciphertext) Block Ciphers - 41

42 - attack can continue by pretending paddings of "03", 04, etc., until all bytes of plaintext block x 2 found - then attack can proceed against second to last block by deleting last block from ciphertext sent to server and fooling the server into responding to padding values in 2nd last ciphertext block - in the case of only two plaintext blocks, the attack modifies the bytes of the IV to find x 1 - note that the block cipher was not a factor, nor was how the padding actually occurred in the original plaintext - attack could be eliminated by modifying server's response to prevent leakage of information (that is, don't send "padding good/bad" message) may be hard to do, because server response could be an important part of protocol in some cases, even changing server's response does not solve the problem because just the time it takes for a server to respond might distinguish between the two cases of padding good and padding bad Block Ciphers - 42