PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Similar documents
Chapter 3 Block Ciphers and the Data Encryption Standard

Symmetric Cryptography. Chapter 6

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Symmetric Encryption. Thierry Sans

Symmetric Encryption Algorithms

Practical Aspects of Modern Cryptography

Network Security Essentials Chapter 2

Computer and Data Security. Lecture 3 Block cipher and DES

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Stream Ciphers. Stream Ciphers 1

Computer Security 3/23/18

Cryptography [Symmetric Encryption]

Cryptography and Network Security. Sixth Edition by William Stallings

Lecture 2: Secret Key Cryptography

Modern Block Ciphers

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Information Security CS526

3 Symmetric Cryptography

Chapter 6: Contemporary Symmetric Ciphers

Lecture 1 Applied Cryptography (Part 1)

CENG 520 Lecture Note III

Lecture 4: Symmetric Key Encryption

Stream Ciphers and Block Ciphers

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Information Security CS526

Fundamentals of Cryptography

Symmetric Key Cryptography

Stream Ciphers and Block Ciphers

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Cryptography BITS F463 S.K. Sahay

Goals of Modern Cryptography

CSC 474/574 Information Systems Security

CSC574: Computer & Network Security

Network Security Essentials

Security. Communication security. System Security

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Cryptography 2017 Lecture 3

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography and Network Security

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Cryptography and Network Security Chapter 7

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Modern Symmetric Block cipher

Data Encryption Standard

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Symmetric Cryptography

T Cryptography and Data Security

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Data Encryption Standard (DES)

Analysis, demands, and properties of pseudorandom number generators

Computer Security CS 526

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Introduction to Modern Symmetric-Key Ciphers

Block Encryption and DES

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

Double-DES, Triple-DES & Modes of Operation

Lecture 3: Symmetric Key Encryption

Data Encryption Standard

CPS2323. Block Ciphers: The Data Encryption Standard (DES)

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Block Cipher Modes of Operation

AIT 682: Network and Systems Security

U-II BLOCK CIPHER ALGORITHMS

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Symmetric Cryptography. CS4264 Fall 2016

Secret Key Algorithms (DES)

Introduction to Cryptography. Lecture 3

Symmetric Key Cryptosystems. Definition

Conventional Encryption: Modern Technologies

Computational Security, Stream and Block Cipher Functions

Symmetric Key Cryptography

Symmetric Cryptography CS461/ECE422

Applied Cryptography Data Encryption Standard

Cryptographic Algorithms - AES

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

EEC-484/584 Computer Networks

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Darshan Institute of Engineering & Technology Page Information Security (IS) UNIT-2 Conventional Encryption Techniques

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Cryptography III: Symmetric Ciphers

Secret Key Cryptography Overview

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

CSCE 813 Internet Security Symmetric Cryptography

Week 4. : Block Ciphers and DES

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

CSE 127: Computer Security Cryptography. Kirill Levchenko

APNIC elearning: Cryptography Basics

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Transcription:

PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney

Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs LCGs LFSRs RC4 Other PRNGs 1.4 Using PRNGs 2. Stream Ciphers 2.1 Construction from PRNGs 3. Data Encryption Standard 3.1 Introduction 3.2 History 3.3 NSA s involvement 3.4 Feistel Networks 3.5 DES Internals 3.6 Diffusion and Confusion

Pseudo Random Number Generators

Pseudorandom Number Generators A source of random numbers are essential in many occasions: Session Keys Shuffling of Cards Challenges Nonces Computers are inherently deterministic. As a result, true randomness is a difficult thing to come by. Since we can t get randomness easily, we use pseudorandom number generator functions (PRNGs) to generate what appears to be statistically random output. A cryptographically secure pseudo random number generator (CSPRNG) is a type of PRNG whose properties make it suitable for use in cryptography.

Sourcing Randomness PRNG functions produce the same sequence of seemingly random output when provided with particular seed data. Since a computer is deterministic it must extract randomness (entropy) from an external, truly random source. This could be something like: Thermal noise of hard drives Low-order bit fluctuations of voltage readings User input Geiger counter click timing Randomness can actually be really hard to come by: U.S. Patent 5,732,138 Method for seeding a pseudo-random number generator with a cryptographic hash of a digitization of a chaotic system. Lavarand by Silicon Graphics

Properties of PRNGs Desirable properties of PRNGs include: Repeatability Statistical randomness Long period / cycle Insensitive to seeds PRNGs are often broken by: Statistical tests that find patterns or biases in the output sequence Inferring the state of the internal registers from the output sequence PRNGs are usually critically important parts of a cryptosystem. They are often a single point of failure. e.g. Android Bitcoin wallet apps vulnerable to theft

Linear Congruential Generators An LCG generates a sequence x 1, x 2,... by starting with a seed x 0 and using the rule: x n+1 = (ax n + b) mod c where a, b, and c are fixed constants. The period of the PRNG is at most c. Must not be used for security purposes it s easily predictable. Only two values x i, x i+1 are needed to determine a and b. Commonly found in libraries, e.g. the Unix rand() function. Don t Use LCGs Where Security Matters An LCG was once used by an online casino who were so sure of their code that they published their algorithms the results were as one would expect.

Linear Feedback Shift Registers A Linear Feedback Shift Register (LFSR) simply combines the bits of a series of registers, and shifts the output onto the register. The seed is the initial value of the register. Easy and fast in hardware (1 bit per clock). Problem: tap configuration can be determined from 2n output bits, where n is the length of the LFSR period.

RC4 Stream Cipher RC4 is a stream cipher which has wide applications in cryptography. At one point, RC4 was used to encrypt > 50% of all SSL traffic. It is the core algorithm of Wired Equivalent Privacy (WEP) Based on permutations of a 256 byte array, the seed is the initial array value. RC4 s key scheduling algorithm has known problems (e.g. WEP weakness) 1 i := 0 2 j := 0 3 while GeneratingOutput: 4 i := (i + 1) mod 256 5 j := (j + S[i]) mod 256 6 swap values of S[i] and S[j] 7 K := S[(S[i] + S[j]) mod 256] 8 output K 9 endwhile

Other PRNGs ANSI X9.17 Based on 3DES DSA PRNG Based on SHA or DES RSAREF PRNG Based on MD5 hashing and addition modulo 2 128

Tips for using PRNGs Be extremely careful with PRNG seeds! Hash PRNG inputs with a timestamp or counter Reseed the PRNG occasionally Use a hash function to protect PRNG outputs if PRNG is suspect

Stream Ciphers

Stream Ciphers from PRNGs In a one-time-pad, we have a perfectly random r the same size as the message m, and the ciphertext is c = r m. Idea: Replace r with a pseudorandom stream. The seed for the PRNG is the key k. Encryption: E k (m) = m PRNG(k). Decryption: D k (c) = c PRNG(k). Whenever a key k is expanded to a large pseudorandom stream, this is called a stream cipher. Seed k Pseudorandom Stream PRNG(k) Message m

Stream Ciphers Advantages of using a stream cipher: Ease of implementation and use. Secure PRNGs can be a lot faster than block ciphers. The security of a stream cipher directly depends on the security of the pseudorandom number generator. It must be computationally hard to find the seed k, or the sequence PRNG(k). The seed k must be used only once. The PRNG period must be at least as long as the message. As with the one-time-pad, stream ciphers by themselves only ensure secrecy. The message may still be modified in transit.

Data Encryption Standard

Data Encryption Standard (DES) Block Ciphers A block cipher is a pair of encryption/decryption algorithms (E, D) operating on blocks of a fixed length B. Both algorithms take a K-bit key k, and for any block b: D k (E k (b)) = b DES is a block cipher operating on 64-bit blocks, using a 56-bit key. Developed in the early 1970 s at IBM. Tweaked by the NSA (National Security Agency) before release in 1977. The world s most heavily analysed and used cipher.

A brief history of DES 1970s IBM Research team led by Feistel develops the LUCIFER cipher (128-bit blocks and keys) 1973 NBS (now NIST) asks for a proposed data encryption standard 1974 IBM develops DES from LUCIFER 1975 NSA fixes DES: shortens key from 64 to 56 bits, and modifies some S-boxes (substitution boxes) 1977 DES adopted as a standard. 1991 Biham and Shamir discover differential cryptanalysis, apply their new technique to DES, and find that the NSA s modifications had improved security 1993 Michael Wiener of Nortel theorises a USD$1M machine could crack DES in 3.5 hours using general purpose hardware 1997 DES cracked by brute force by distributed.net in 96 days NIST asks for a proposal for AES (Advanced Encryption Standard) 1999 DES cracked in 24 hours by distributed.net and the EFF USD$250,000 Deep Crack machine 2000 Rijndael accepted as AES (128/192/256-bit keyspace, 128-bit blocks)

The NSA s involvement in DES The NSA s modifications to DES were thought to be adding a back door. 20 years later (1990s), academia independently rediscovered differential cryptanalysis (DC). DC had been discovered by IBM in the 1970s (and used in the construction of DES), but IBM were gagged by the NSA. The NSA had used DC to strengthen DES, while no-one else was aware it existed. NSA doesn t want a strong cryptosystem as a national standard, because it is afraid of not being able to read the messages. On the other hand, if the NSA endorses a weak cryptographic system and is discovered, it will get a terrible black eye. EFF, 1998

Feistel Networks Recall: a block cipher E k : {0, 1} n {0, 1} n must be invertible. Hard: coming up with cryptographically secure invertible functions. Easier: coming up with pseudorandom functions (such as hashes). Feistel Network Given d pseudorandom functions f 1,..., f d, where each f i maps n bits to n bits, a Feistel Network combines these functions into a secure invertible function F, mapping 2n bits to 2n bits. R 0 R 1 R 2 R d f 1 f 2 L 0 L 1 L 2 L d

Feistel Networks Algebraically, we have d functions f 1,..., f d, and split our initial input into two: (L 0, R 0 ). The Feistel network is then: L i = R i 1 R i = f i (R i 1 ) L i 1 Finishing with the final value (L d, R d ). The whole network is invertible because each step is invertible. In fact, the inverse network is identical, but with the function order reversed: f d, f d 1,..., f 2, f 1. When used in a cipher, the functions f 1,..., f d are called round functions.

DES Internals DES takes a 56-bit key k and a 64-bit block b to be encrypted. An initial permutation IP is applied to the block. The block is then fed into a 16-round Feistel network, with round functions f i (x) = F(x, k i ), where k 1,..., k 16 is the key schedule derived from k, and F is the DES round function. A final permutation FP is then applied to the output. b IP Feistel Network with rounds f 1, f 2,..., f 15, f 16 FP E k (b) The overall structure of DES The round function F(x, k i ) is the core of DES.

The DES Round Function The round function f i (x) = F(x, k i ) consists of: E, an expansion permutation widening x from 32 to 48 bits. S j, the substitition boxes (S-boxes) which collapse 6 bits to 4 bits. P, a fixed permutation (P-box). Half block x (32 bits) Round key k i (48 bits) E 48 bits S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 P Output (32 bits)

Diffusion and Confusion Diffusion is the dissipation of statistical information present in the plaintext. Flipping a bit in the plaintext should result in half the bits of the ciphertext changing. Flipping a bit in the ciphertext should result in half the bits of the plaintext changing. Confusion is making the relationship between the key and the ciphertext as complicated as possible. Each bit of the ciphertext should depend on multiple bits of the key. Even if an attacker gathers many (plaintext, ciphertext) pairs encrypted under the same key, they should not be able to deduce the key.

Diffusion and Confusion with S and P-boxes When highly nonlinear S-boxes are combined with good P-boxes, both the properties of confusion and diffusion arise. Having linear S-boxes would make the whole of DES a linear function. Having P-boxes not spreading bits around enough would allow DES to be broken down into smaller independent subproblems. Qualitatively, good S and P-boxes work together : S-boxes will be highly nonlinear, and flipping an input bit should result in half the output bits flipping. The P-box following this up should distribute those bits evenly across S-boxes in the next round. The P-box must diffuse the round key evenly over the whole block.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback