Winter 2011 Josh Benaloh Brian LaMacchia

Similar documents
Practical Aspects of Modern Cryptography

Data Encryption Standard (DES)

Cryptographic Hash Functions

Lecture 2: Secret Key Cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Week 5: Advanced Encryption Standard. Click

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Jaap van Ginkel Security of Systems and Networks

Goals of Modern Cryptography

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Introduction to Cryptology. Lecture 17

Content of this part

CPSC 467b: Cryptography and Computer Security

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Presented by: Kevin Hieb May 2, 2005

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Jaap van Ginkel Security of Systems and Networks

CPSC 467b: Cryptography and Computer Security

Cryptography Functions

CSCE 715: Network Systems Security

Introduction to Modern Symmetric-Key Ciphers

CIS 4360 Secure Computer Systems Symmetric Cryptography

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Stream Ciphers and Block Ciphers

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Computer Security CS 526

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

EEC-484/584 Computer Networks

Cryptography [Symmetric Encryption]

Symmetric Primitives. (block ciphers, stream ciphers, hash functions, keyed hash functions and (pseudo)random number generators)

Cryptography and Network Security

Jaap van Ginkel Security of Systems and Networks

Fundamentals of Cryptography

Lecture 1 Applied Cryptography (Part 1)

Symmetric Encryption. Thierry Sans

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

AES Advanced Encryption Standard

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Stream Ciphers and Block Ciphers

APNIC elearning: Cryptography Basics

Block Ciphers. Secure Software Systems

Cryptography and Network Security

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

COMP4109 : Applied Cryptography

Block Ciphers Introduction

Cryptography. Summer Term 2010

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic Algorithms - AES

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

CPSC 467: Cryptography and Computer Security

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Cryptography MIS

Crypto: Symmetric-Key Cryptography

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

EEC-682/782 Computer Networks I

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptographic Hash Functions

Data Integrity & Authentication. Message Authentication Codes (MACs)

Symmetric Cryptography. CS4264 Fall 2016

Encryption. INST 346, Section 0201 April 3, 2018

Message Authentication Codes and Cryptographic Hash Functions

Lecture 4. Encryption Continued... Data Encryption Standard (DES)

Information Security CS526

CSC 474/574 Information Systems Security

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Unit 8 Review. Secure your network! CS144, Stanford University

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Security: Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Jaap van Ginkel Security of Systems and Networks

Introduction to Cryptography. Lecture 6

Spring 2010: CS419 Computer Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Lecture 4: Symmetric Key Encryption

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Symmetric-Key Cryptography

Cryptography: Symmetric Encryption [continued]

Network Security Essentials

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Lecture 4: Authentication and Hashing

Private-Key Encryption

Data Integrity & Authentication. Message Authentication Codes (MACs)

Symmetric Cryptography

CSC 774 Network Security

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Lecture 3: Symmetric Key Encryption

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Transcription:

Winter 2011 Josh Benaloh Brian LaMacchia

Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2

Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash functions January 20, 2011 Practical Aspects of Modern Cryptography 3

Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash functions January 20, 2011 Practical Aspects of Modern Cryptography 4

Public Key vs. Symmetric Key Recall from last time that in a public key cryptosystem, each participant has a key pair consisting of related keys January 20, 2011 Practical Aspects of Modern Cryptography 5

Public Key vs. Symmetric Key Recall from last time that in a public key cryptosystem, each participant has a key pair consisting of related keys Alice (or anyone) encrypts to Bob using Bob s public key January 20, 2011 Practical Aspects of Modern Cryptography 6

Public Key vs. Symmetric Key Recall from last time that in a public key cryptosystem, each participant has a key pair consisting of related keys Alice (or anyone) encrypts to Bob using Bob s public key Bob decrypts with Bob s private key January 20, 2011 Practical Aspects of Modern Cryptography 7

Public Key vs. Symmetric Key Recall from last time that in a public key cryptosystem, each participant has a key pair consisting of related keys Alice (or anyone) encrypts to Bob using Bob s public key Bob decrypts with Bob s private key Public keys are public January 20, 2011 Practical Aspects of Modern Cryptography 8

Public Key vs. Symmetric Key Recall from last time that in a public key cryptosystem, each participant has a key pair consisting of related keys Alice (or anyone) encrypts to Bob using Bob s public key Bob decrypts with Bob s private key Public keys are public They can be published in a directory, on a website, etc. January 20, 2011 Practical Aspects of Modern Cryptography 9

Public Key vs. Symmetric Key In contrast, in a symmetric key system, the same key is used for encryption and decryption January 20, 2011 Practical Aspects of Modern Cryptography 10

Public Key vs. Symmetric Key In contrast, in a symmetric key system, the same key is used for encryption and decryption Such keys must be kept secret January 20, 2011 Practical Aspects of Modern Cryptography 11

Public Key vs. Symmetric Key In contrast, in a symmetric key system, the same key is used for encryption and decryption Such keys must be kept secret Alice and Bob must both know the same secret key to use a symmetric cryptosystem with that key January 20, 2011 Practical Aspects of Modern Cryptography 12

Public Key vs. Symmetric Key In contrast, in a symmetric key system, the same key is used for encryption and decryption Such keys must be kept secret Alice and Bob must both know the same secret key to use a symmetric cryptosystem with that key Common pattern we will come back to later: January 20, 2011 Practical Aspects of Modern Cryptography 13

Public Key vs. Symmetric Key In contrast, in a symmetric key system, the same key is used for encryption and decryption Such keys must be kept secret Alice and Bob must both know the same secret key to use a symmetric cryptosystem with that key Common pattern we will come back to later: Use a public key cryptosystem to send/negotiate a randomly-generated secret key with the party to whom you wish to communicate January 20, 2011 Practical Aspects of Modern Cryptography 14

Public Key vs. Symmetric Key In contrast, in a symmetric key system, the same key is used for encryption and decryption Such keys must be kept secret Alice and Bob must both know the same secret key to use a symmetric cryptosystem with that key Common pattern we will come back to later: Use a public key cryptosystem to send/negotiate a randomly-generated secret key with the party to whom you wish to communicate Then use that secret key with a symmetric key cryptosystem January 20, 2011 Practical Aspects of Modern Cryptography 15

Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Stream ciphers Block ciphers January 20, 2011 Practical Aspects of Modern Cryptography 16

Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Stream ciphers Block ciphers January 20, 2011 Practical Aspects of Modern Cryptography 17

Stream Ciphers Examples of stream ciphers include RC4, A5/1, SEAL, etc. January 20, 2011 Practical Aspects of Modern Cryptography 18

Stream Ciphers Examples of stream ciphers include RC4, A5/1, SEAL, etc. Use the key as a seed to a pseudo-random numbergenerator. January 20, 2011 Practical Aspects of Modern Cryptography 19

Stream Ciphers Examples of stream ciphers include RC4, A5/1, SEAL, etc. Use the key as a seed to a pseudo-random numbergenerator. Take the stream of output bits from the PRNG and XOR it with the plaintext to form the ciphertext. January 20, 2011 Practical Aspects of Modern Cryptography 20

Stream Cipher Encryption Plaintext: PRNG(seed): Ciphertext: January 20, 2011 Practical Aspects of Modern Cryptography 21

Stream Cipher Decryption Ciphertext: PRNG(seed): Plaintext: January 20, 2011 Practical Aspects of Modern Cryptography 22

Some Good Properties Stream ciphers are typically very fast. January 20, 2011 Practical Aspects of Modern Cryptography 23

Some Good Properties Stream ciphers are typically very fast. Stream ciphers can be very simple. January 20, 2011 Practical Aspects of Modern Cryptography 24

Some Good Properties Stream ciphers are typically very fast. Stream ciphers can be very simple. The same function is used for encryption and decryption. January 20, 2011 Practical Aspects of Modern Cryptography 25

A Sample PRNG: Alleged RC4 Initialization S*0..255+ = 0,1,,255 K[0..255] = Key,Key,Key, for i = 0 to 255 j = (j + S[i] + K[i]) mod 256 swap S[i] and S[j] January 20, 2011 Practical Aspects of Modern Cryptography 26

A Sample PRNG: Alleged RC4 Iteration i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] t = (S[i] + S[j]) mod 256 Output S[t] January 20, 2011 Practical Aspects of Modern Cryptography 27

Stream Cipher Security If two plaintexts are ever encrypted with the same stream cipher and key C 1 = K P 1 C 2 = K P 2 an attacker can easily compute C 1 C 2 = P 1 P 2 from which P 1 and P 2 can usually be teased apart easily. January 20, 2011 Practical Aspects of Modern Cryptography 28

Stream Cipher Encryption Plaintext: PRNG(seed): Ciphertext: January 20, 2011 Practical Aspects of Modern Cryptography 29

Stream Cipher Integrity It is easy for an adversary (even one who can t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice. January 20, 2011 Practical Aspects of Modern Cryptography 30

Stream Cipher Integrity It is easy for an adversary (even one who can t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice. January 20, 2011 Practical Aspects of Modern Cryptography 31

Stream Cipher Integrity It is easy for an adversary (even one who can t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice. This can be protected against by the careful addition of appropriate redundancy. January 20, 2011 Practical Aspects of Modern Cryptography 32

Stream Ciphers are Fragile They are broken by key re-use. January 20, 2011 Practical Aspects of Modern Cryptography 33

Stream Ciphers are Fragile They are broken by key re-use. They require integrity checking. January 20, 2011 Practical Aspects of Modern Cryptography 34

Stream Ciphers are Fragile They are broken by key re-use. They require integrity checking. If you re going to use a stream cipher Seriously consider other options. Make sure you understand the risks if you make a mistake in use January 20, 2011 Practical Aspects of Modern Cryptography 35

Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. Stream ciphers Block ciphers January 20, 2011 Practical Aspects of Modern Cryptography 36

Block Ciphers Why are they called block ciphers? January 20, 2011 Practical Aspects of Modern Cryptography 37

Block Ciphers Why are they called block ciphers? Because the cipher is defined as a function on a fixed-size block of data. January 20, 2011 Practical Aspects of Modern Cryptography 38

Block Ciphers Why are they called block ciphers? Because the cipher is defined as a function on a fixed-size block of data. This is called the block size and is a fundamental parameter of the cipher. January 20, 2011 Practical Aspects of Modern Cryptography 39

Block Ciphers Why are they called block ciphers? Because the cipher is defined as a function on a fixed-size block of data. This is called the block size and is a fundamental parameter of the cipher. Today 8- or 16-byte blocks are common, but other sizes are possible. January 20, 2011 Practical Aspects of Modern Cryptography 40

Block Ciphers Why are they called block ciphers? Because the cipher is defined as a function on a fixed-size block of data. This is called the block size and is a fundamental parameter of the cipher. Today 8- or 16-byte blocks are common, but other sizes are possible. Question: What s the block size of a stream cipher? January 20, 2011 Practical Aspects of Modern Cryptography 41

Block Ciphers -- Encryption Key Plaintext Data Usually 8 or 16 bytes Block Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 42

Block Ciphers -- Decryption Key Ciphertext Inverse Cipher Plaintext January 20, 2011 Practical Aspects of Modern Cryptography 43

Block Ciphers Q: What do I do if I want to encrypt more that one block of data with a block cipher? January 20, 2011 Practical Aspects of Modern Cryptography 44

Block Ciphers Q: What do I do if I want to encrypt more that one block of data with a block cipher? Simple A: Divide the to-be-encrypted plaintext into blocksize chunks, and then apply the cipher to each block. January 20, 2011 Practical Aspects of Modern Cryptography 45

Block Ciphers Q: What do I do if I want to encrypt more that one block of data with a block cipher? Simple A: Divide the to-be-encrypted plaintext into blocksize chunks, and then apply the cipher to each block. Real A: Divide the to-be-encrypted plaintext into blocksize chunks, and then apply the cipher to the sequence of blocks using a mode of operation. January 20, 2011 Practical Aspects of Modern Cryptography 46

Block Cipher Modes Electronic Code Book (ECB) Encryption: Plaintext Block Cipher Block Cipher Block Cipher Block Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 47

Block Cipher Modes Electronic Code Book (ECB) Decryption: Plaintext Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 48

Block Cipher Modes Electronic Code Book (ECB) Encryption: Plaintext Block Cipher Block Cipher Block Cipher Block Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 49

Why is ECB of Concern? January 20, 2011 Practical Aspects of Modern Cryptography 50

Why is ECB of Concern? ECB January 20, 2011 Practical Aspects of Modern Cryptography 51

Block Cipher Modes Cipher Block Chaining (CBC) Encryption: Incorporate an Initial Value (IV) which changes with each encryption. The IV can be A counter A random value Openly known January 20, 2011 Practical Aspects of Modern Cryptography 52

Block Cipher Modes Cipher Block Chaining (CBC) Encryption: IV Plaintext Block Cipher Block Cipher Block Cipher Block Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 53

Block Cipher Modes Cipher Block Chaining (CBC) Decryption: IV Plaintext Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 54

Block Cipher Modes Cipher Block Chaining (CBC) Encryption: IV Plaintext Block Cipher Block Cipher Block Cipher Block Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 55

Example Block Ciphers DES 3DES AES RC2, RC5, TwoFish, Serpent, etc. January 20, 2011 Practical Aspects of Modern Cryptography 56

Example Block Ciphers DES 3DES AES RC2, RC5, TwoFish, Serpent, etc. January 20, 2011 Practical Aspects of Modern Cryptography 57

Example Block Ciphers DES 3DES AES RC2, RC5, TwoFish, Serpent, etc. January 20, 2011 Practical Aspects of Modern Cryptography 58

Example Block Ciphers DES 3DES AES RC2, RC5, TwoFish, Serpent, etc. January 20, 2011 Practical Aspects of Modern Cryptography 59

How to Build a Block Cipher Plaintext Key Block Cipher Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 60

Feistel Ciphers Ugly January 20, 2011 Practical Aspects of Modern Cryptography 61

Feistel Ciphers Ugly January 20, 2011 Practical Aspects of Modern Cryptography 62

Feistel Ciphers Ugly January 20, 2011 Practical Aspects of Modern Cryptography 63

Feistel Ciphers Ugly January 20, 2011 Practical Aspects of Modern Cryptography 64

Feistel Ciphers Ugly Ugly January 20, 2011 Practical Aspects of Modern Cryptography 65

Feistel Ciphers Typically, most Feistel ciphers are iterated for about 16 rounds. Different sub-keys are used for each round. Even a weak round function can yield a strong Feistel cipher if iterated sufficiently. January 20, 2011 Practical Aspects of Modern Cryptography 66

Data Encryption Standard (DES) 64-bit Plaintext 56-bit Key Block Cipher 64-bit Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 67

Data Encryption Standard (DES) 64-bit Plaintext 56-bit Key 16 Feistel Rounds 64-bit Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 68

Data Encryption Standard (DES) 64-bit Plaintext 56-bit Key 16 Feistel Rounds 64-bit Ciphertext January 20, 2011 Practical Aspects of Modern Cryptography 69

DES Round Ugly January 20, 2011 Practical Aspects of Modern Cryptography 70

Simplified DES Round Function 32 bits Ugly Sub-key 4-bit substitutions 32-bit permutation January 20, 2011 Practical Aspects of Modern Cryptography 71

Actual DES Round Function 32 bits Ugly Sub-key 48 bits 6/4-bit substitutions 32-bit permutation January 20, 2011 Practical Aspects of Modern Cryptography 72

Advanced Encryption Standard Open competition run by NIST to replace DES 128-bit block size Key sizes of 128, 192, and 256 bits 15 ciphers were submitted 5 finalists were chosen January 20, 2011 Practical Aspects of Modern Cryptography 73

AES Finalists MARS (IBM submission) RC6 (RSA Labs submission) Rijndael (Joan Daemen and Vincent Rijmen) Serpent (Anderson, Biham, and Knudsen) Twofish (Schneier, et. al.) January 20, 2011 Practical Aspects of Modern Cryptography 74

AES Finalists MARS (IBM submission) RC6 (RSA Labs submission) Rijndael (Joan Daemen and Vincent Rijmen) Serpent (Anderson, Biham, and Knudsen) Twofish (Schneier, et. al.) January 20, 2011 Practical Aspects of Modern Cryptography 75

Rijndael k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 16, 24, or 32 bytes of key 16, 24, or 32 bytes of data a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3,7 January 20, 2011 Practical Aspects of Modern Cryptography 76

Rijndael 4 transformations per round ByteSub: nonlinearity ShiftRow: inter-column diffusion MixColumn: inter-byte diffusion Round key addition January 20, 2011 Practical Aspects of Modern Cryptography 77

Rijndael ByteSub a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 A single 8-bit to 8-bit (invertible) S-box is applied to each byte. Practical January Aspects 20, 2011 of Modern Cryptography Practical Aspects of Modern Cryptography 78 January 20, 2011 78

Rijndael MixColumn a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 An (invertible) linear transform is applied to each column. Practical January Aspects 20, 2011 of Modern Cryptography Practical Aspects of Modern Cryptography 79 January 20, 2011 79

Rijndael ShiftRow a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 a 0,0 a 0,1 a 0,2 a 0,3 a 1,3 a 1,0 a 1,1 a 1,2 a 2,2 a 2,3 a 2,0 a 2,1 a 3,1 a 3,2 a 3,3 a 3,0 A different cyclic shift is applied to each row. Practical January Aspects 20, 2011 of Modern Cryptography Practical Aspects of Modern Cryptography 80 January 20, 2011 80

Rijndael Round key addition a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 = b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 The round key is XORed to complete the round. Practical January Aspects 20, 2011 of Modern Cryptography Practical Aspects of Modern Cryptography 81 January 20, 2011 81

Rijndael Key Schedule k 0 k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 k 9 k 10 k 11 Round key 0 Round key 1 Round key 2 The key schedule is defined on 4-byte words by k i = k i-4 k i-1 when i is not a multiple of 4 k i = k i-4 f(k i-1 ) when i is a multiple of 4 Practical January Aspects 20, 2011 of Modern Cryptography Practical Aspects of Modern Cryptography 82 January 20, 2011 82

Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash functions January 20, 2011 Practical Aspects of Modern Cryptography 83

One-Way Hash Functions Generally, a one-way hash function is a function H : {0,1}* {0,1} k such that given an input value x, one cannot find a value x x such H(x) = H(x ). January 20, 2011 Practical Aspects of Modern Cryptography 84

One-Way Hash Functions Generally, a one-way hash function is a function H : {0,1}* {0,1} k such that given an input value x, one cannot find a value x x such H(x) = H(x ). Typically k is 128, 160, 256, 384, or 512 January 20, 2011 Practical Aspects of Modern Cryptography 85

One-Way Hash Functions There are many properties of one-way hashes. Non-invertability: given y, it s difficult to find any x such that H(x) = y. January 20, 2011 Practical Aspects of Modern Cryptography 86

One-Way Hash Functions There are many properties of one-way hashes. Non-invertability: given y, it s difficult to find any x such that H(x) = y. Second-preimage resistance: given x, it s difficult to find x x such that H(x) = H(x ). January 20, 2011 Practical Aspects of Modern Cryptography 87

One-Way Hash Functions There are many properties of one-way hashes. Non-invertability: given y, it s difficult to find any x such that H(x) = y. Second-preimage resistance: given x, it s difficult to find x x such that H(x) = H(x ). Collision-intractability: one cannot find a pair of values x x such that H(x) = H(x ). January 20, 2011 Practical Aspects of Modern Cryptography 88

Some Important Uses of One-Way Hash Functions When using a stream cipher, a hash of the message can be appended to ensure integrity. [Message Authentication Code] January 20, 2011 Practical Aspects of Modern Cryptography 89

Some Important Uses of One-Way Hash Functions When using a stream cipher, a hash of the message can be appended to ensure integrity. [Message Authentication Code] When forming a digital signature, the signature need only be applied to a hash of the message. [Message Digest] January 20, 2011 Practical Aspects of Modern Cryptography 90

What else are Hash Functions Good for? Hash functions are useful in lots of situations; here are some additional examples January 20, 2011 Practical Aspects of Modern Cryptography 91

What else are Hash Functions Good for? Hash functions are useful in lots of situations; here are some additional examples Uniquely and securely identify bit streams like programs. Hash is strong name for program. January 20, 2011 Practical Aspects of Modern Cryptography 92

What else are Hash Functions Good for? Hash functions are useful in lots of situations; here are some additional examples Uniquely and securely identify bit streams like programs. Hash is strong name for program. Entropy mixing: Since cryptographic hashes are random functions into fixed size blocks with the properties of random functions, they are often used to mix biased input to produce a seed for a pseudo-random number generator. January 20, 2011 Practical Aspects of Modern Cryptography 93

What else are Hash Functions Good for? Hash functions are useful in lots of situations; here are some additional examples Uniquely and securely identify bit streams like programs. Hash is strong name for program. Entropy mixing: Since cryptographic hashes are random functions into fixed size blocks with the properties of random functions, they are often used to mix biased input to produce a seed for a pseudo-random number generator. Password Protection: Store salted hash of password instead of password (Needham). January 20, 2011 Practical Aspects of Modern Cryptography 94

What else are Hash Functions Good for? Hash functions are useful in lots of situations; here are some additional examples Uniquely and securely identify bit streams like programs. Hash is strong name for program. Entropy mixing: Since cryptographic hashes are random functions into fixed size blocks with the properties of random functions, they are often used to mix biased input to produce a seed for a pseudo-random number generator. Password Protection: Store salted hash of password instead of password (Needham). Bit Commitment January 20, 2011 Practical Aspects of Modern Cryptography 95

Merkle-Damgård Construction (IV) Large Input (e.g. 512 bits) Compression Function Smaller Output (e.g. 256 bits) January 20, 2011 Practical Aspects of Modern Cryptography 96

A Cryptographic Hash: SHA-1 (IV) 512-bit Input Compression Function 160-bit Output January 20, 2011 Practical Aspects of Modern Cryptography 97

A Cryptographic Hash: SHA-1 160-bit 512-bit One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 98

A Cryptographic Hash: SHA-1 160-bit 512-bit No Change One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 99

A Cryptographic Hash: SHA-1 160-bit 512-bit Rotate 30 bits One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 100

A Cryptographic Hash: SHA-1 160-bit 512-bit No Change One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 101

A Cryptographic Hash: SHA-1 160-bit 512-bit No Change One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 102

A Cryptographic Hash: SHA-1 160-bit 512-bit? One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 103

A Cryptographic Hash: SHA-1 What s in the final 32-bit transform? Take the rightmost word. January 20, 2011 Practical Aspects of Modern Cryptography 104

A Cryptographic Hash: SHA-1 What s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. January 20, 2011 Practical Aspects of Modern Cryptography 105

A Cryptographic Hash: SHA-1 What s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. January 20, 2011 Practical Aspects of Modern Cryptography 106

A Cryptographic Hash: SHA-1 160-bit 512-bit f One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 107

A Cryptographic Hash: SHA-1 Depending on the round, the non-linear function f is one of the following. f(x,y,z) = (X Y) (( X) Z) f(x,y,z) = (X Y) (X Z) (Y Z) f(x,y,z) = X Y Z January 20, 2011 Practical Aspects of Modern Cryptography 108

A Cryptographic Hash: SHA-1 What s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. January 20, 2011 Practical Aspects of Modern Cryptography 109

A Cryptographic Hash: SHA-1 What s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. January 20, 2011 Practical Aspects of Modern Cryptography 110

A Cryptographic Hash: SHA-1 What s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. Add in a portion of the 512-bit message. January 20, 2011 Practical Aspects of Modern Cryptography 111

A Cryptographic Hash: SHA-1 January 20, 2011 Practical Aspects of Modern Cryptography Picture from Wikipedia 112

A Cryptographic Hash: SHA-1 160-bit 512-bit One of 80 rounds January 20, 2011 Practical Aspects of Modern Cryptography 113

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. January 20, 2011 Practical Aspects of Modern Cryptography 114

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. Designed by NSA January 20, 2011 Practical Aspects of Modern Cryptography 115

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. Designed by NSA Withdrawn in 1995 and replaced with SHA-1 January 20, 2011 Practical Aspects of Modern Cryptography 116

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. Designed by NSA Withdrawn in 1995 and replaced with SHA-1 One modification: single bitwise rotation added January 20, 2011 Practical Aspects of Modern Cryptography 117

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. Designed by NSA Withdrawn in 1995 and replaced with SHA-1 One modification: single bitwise rotation added In 2001, NIST revises FIPS 180 and adds SHA-2 January 20, 2011 Practical Aspects of Modern Cryptography 118

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. Designed by NSA Withdrawn in 1995 and replaced with SHA-1 One modification: single bitwise rotation added In 2001, NIST revises FIPS 180 and adds SHA-2 Also designed by NSA January 20, 2011 Practical Aspects of Modern Cryptography 119

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. Designed by NSA Withdrawn in 1995 and replaced with SHA-1 One modification: single bitwise rotation added In 2001, NIST revises FIPS 180 and adds SHA-2 Also designed by NSA Originally 3 variants: SHA-256, SHA-384, SHA-512 January 20, 2011 Practical Aspects of Modern Cryptography 120

From SHA-1 to SHA-2 Quick history: in 1993, NIST published SHA (Secure Hash Algorithm) as part of FIPS 180, Secure Hash Standard. Designed by NSA Withdrawn in 1995 and replaced with SHA-1 One modification: single bitwise rotation added In 2001, NIST revises FIPS 180 and adds SHA-2 Also designed by NSA Originally 3 variants: SHA-256, SHA-384, SHA-512 SHA-224 added later January 20, 2011 Practical Aspects of Modern Cryptography 121

Merkle-Damgård Construction (IV) Large Input (e.g. 512 bits) Compression Function Smaller Output (e.g. 256 bits) January 20, 2011 Practical Aspects of Modern Cryptography 122

A Cryptographic Hash: SHA-2 Prior State 256 or 512 bits New Message Bits 256 or 512 bits A B C D E F G H A B C D E F G H One of 64 rounds January 20, 2011 Practical Aspects of Modern Cryptography 123

A Cryptographic Hash: SHA-2 Prior State 256 or 512 bits New Message Bits 256 or 512 bits A B C D E F G H No Change A B C D E F G H One of 64 rounds B = A C = B D = C F = E G = F H = G January 20, 2011 Practical Aspects of Modern Cryptography 124

A Cryptographic Hash: SHA-2 Prior State 256 or 512 bits New Message Bits 256 or 512 bits A B C D E F G H What about the last 2? A B C D E F G H One of 64 rounds January 20, 2011 Practical Aspects of Modern Cryptography 125

A Cryptographic Hash: SHA-2 January 20, 2011 Practical Aspects of Modern Cryptography Picture from Wikipedia 126

From SHA-2 to SHA-3 In 2007, NIST announced that it would hold an open competition to pick a new SHA-3 hash function January 20, 2011 Practical Aspects of Modern Cryptography 127

From SHA-2 to SHA-3 In 2007, NIST announced that it would hold an open competition to pick a new SHA-3 hash function Similar to the competition held to pick AES. January 20, 2011 Practical Aspects of Modern Cryptography 128

From SHA-2 to SHA-3 In 2007, NIST announced that it would hold an open competition to pick a new SHA-3 hash function Similar to the competition held to pick AES. Submissions were due 31 October 2008 January 20, 2011 Practical Aspects of Modern Cryptography 129

From SHA-2 to SHA-3 In 2007, NIST announced that it would hold an open competition to pick a new SHA-3 hash function Similar to the competition held to pick AES. Submissions were due 31 October 2008 51 submissions accepted by NIST for Round One January 20, 2011 Practical Aspects of Modern Cryptography 130

From SHA-2 to SHA-3 In 2007, NIST announced that it would hold an open competition to pick a new SHA-3 hash function Similar to the competition held to pick AES. Submissions were due 31 October 2008 51 submissions accepted by NIST for Round One 14 submissions advanced to Round 2 January 20, 2011 Practical Aspects of Modern Cryptography 131

From SHA-2 to SHA-3 In 2007, NIST announced that it would hold an open competition to pick a new SHA-3 hash function Similar to the competition held to pick AES. Submissions were due 31 October 2008 51 submissions accepted by NIST for Round One 14 submissions advanced to Round 2 5 finalists (announced December 10, 2010) January 20, 2011 Practical Aspects of Modern Cryptography 132

From SHA-2 to SHA-3 In 2007, NIST announced that it would hold an open competition to pick a new SHA-3 hash function Similar to the competition held to pick AES. Submissions were due 31 October 2008 51 submissions accepted by NIST for Round One 14 submissions advanced to Round 2 5 finalists (announced December 10, 2010) SHA-3 expected to be formally selected in 2012 January 20, 2011 Practical Aspects of Modern Cryptography 133

The SHA-3 Finalists BLAKE Grøstl (Knudsen et al.) JH Keccak (Keccak team, Daemen et al.) Skein (Schneier et al.) January 20, 2011 Practical Aspects of Modern Cryptography 134

State of the Art for Hashes Collisions have been demonstrated for MD4 and MD5! The first SHA-1 collisions are likely to be found soon. January 20, 2011 Practical Aspects of Modern Cryptography 135

Integrity Checking Desirable for block ciphers Essential for stream ciphers January 20, 2011 Practical Aspects of Modern Cryptography 136

One-Way Hash Functions The idea of a checksum is great, but it is designed to prevent accidental changes in a message. For cryptographic integrity, we need an integrity check that is resilient against a smart and determined adversary. January 20, 2011 Practical Aspects of Modern Cryptography 137

Message Authentication Codes A Message Authentication Code (MAC) is often constructed with a keyed hash. If one hashes a secret key together with the correct message, an attacker who doesn t know the key will be unable to change the message without detection. But how? January 20, 2011 Practical Aspects of Modern Cryptography 138

Cipher Integrity Original plaintext P. Encryption key K 1. MAC key K 2. Ciphertext C=E K1 (P). MAC M=H K2 (P) or M=H K2 (C). Transmit (C,M). January 20, 2011 Practical Aspects of Modern Cryptography 139

Message Authentication Codes MAC key K, plaintext P, ciphertext C=E(P). MAC=H(K,P)? MAC=H(P,K)? MAC=H(K,C)? MAC=H(C,K)? There are weaknesses with all of the above. HMAC = H(K,H(K,P)) January 20, 2011 Practical Aspects of Modern Cryptography 140

Crypto Hygiene Do I really need to use different keys for encryption and integrity? It s always a good idea to use separate keys for separate functions, but the keys can be derived from the same master. K 1 =H( Key1,K) K 2 =H( Key2,K) January 20, 2011 Practical Aspects of Modern Cryptography 141

Message Digests A message digest is a short unforgeable fingerprint of a long message. A simple hash can serve as a message digest. January 20, 2011 Practical Aspects of Modern Cryptography 142

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback