CSC574: Computer & Network Security

Similar documents
CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

CSC 474/574 Information Systems Security

CSC574: Computer & Network Security

Chapter 3 Block Ciphers and the Data Encryption Standard

Network Security Essentials Chapter 2

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Modern Symmetric Block cipher

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Module: Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Secret Key Cryptography

Symmetric Encryption. Thierry Sans

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Lecture 1 Applied Cryptography (Part 1)

Cryptography Functions

A Novel Symmetric Block Cipher Algorithm. Based on Two-Key Dependent Permutation

AIT 682: Network and Systems Security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Double-DES, Triple-DES & Modes of Operation

Symmetric Cryptography

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Data Encryption Standard (DES)

Symmetric Encryption Algorithms

CENG 520 Lecture Note III

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

Goals of Modern Cryptography

3 Symmetric Cryptography

CIS 6930/4930 Computer and Network Security. Project requirements

CSE 127: Computer Security Cryptography. Kirill Levchenko

Block Encryption and DES

P2_L6 Symmetric Encryption Page 1

Block Ciphers. Advanced Encryption Standard (AES)

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

18-642: Cryptography 11/15/ Philip Koopman

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 4: Symmetric Key Encryption

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

Chapter 6 Contemporary Symmetric Ciphers

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Lecture 2: Secret Key Cryptography

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Fundamentals of Cryptography

Symmetric Cryptography. Chapter 6

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Processing with Block Ciphers

Lecture 3: Symmetric Key Encryption

7. Symmetric encryption. symmetric cryptography 1

CIS 4360 Secure Computer Systems Symmetric Cryptography

Network Security Essentials

Modern Block Ciphers

Computer and Data Security. Lecture 3 Block cipher and DES

Scanned by CamScanner

Cryptography [Symmetric Encryption]

Introduction to Cryptography. Lecture 3

Chapter 6: Contemporary Symmetric Ciphers

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Computer Security 3/23/18

Symmetric Cryptography CS461/ECE422

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

18-642: Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Introduction to Cryptography. Lecture 3

Cryptography 2017 Lecture 3

Secret Key Cryptography Overview

Computer Security CS 526

Symmetric-Key Cryptography

Block Ciphers Introduction

CSCE 813 Internet Security Symmetric Cryptography

Conventional Encryption: Modern Technologies

Crypto: Symmetric-Key Cryptography

Cryptography and Network Security

Part XII. From theory to practice in cryptography

Information Security CS526

CPSC 467b: Cryptography and Computer Security

Secret Key Cryptography (Spring 2004)

CPSC 467b: Cryptography and Computer Security

Block Cipher Operation. CS 6313 Fall ASU

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Content of this part

Block Ciphers, DES, 2DES, 3DES

Block Ciphers. Secure Software Systems

Stream Ciphers and Block Ciphers

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Stream Ciphers and Block Ciphers

Cryptography: Symmetric Encryption [continued]

Symmetric Key Cryptography

Transcription:

CSC574: Computer & Network Security Lecture 3 Prof. William Enck Spring 2016 (Derived from slides by Micah Sherr, Patrick McDaniel, and Peng Ning)

Modern Cryptography 2

Kerckhoffs Principles Modern cryptosystems use a key to control encryption and decryption Ciphertext should be undecipherable without the correct key Encryption key may be different from decryption key. Kerckhoffs principles [1883]: Assume Eve knows cipher algorithm Security should rely on choice of key If Eve discovers the key, a new key can be chosen 3

Kerckhoffs Principles Kerckhoffs Principles are contrary to the principle of security by obscurity, which relies only upon the secrecy of the algorithm/ cryptosystem If security of a keyless algorithm compromised, cryptosystem becomes permanently useless (and unfixable) Algorithms relatively easy to reverse engineer 4

Symmetric and Asymmetric Crypto M C M E D Alice K1 K2 Bob Symmetric crypto: (also called private key crypto) Alice and Bob share the same key (K=K1=K2) K used for both encrypting and decrypting Doesn't imply that encrypting and decrypting are the same algorithm Also called private key or secret key cryptography, since knowledge of the key reveals the plaintext Asymmetric crypto: (also called public key crypto) Alice and Bob have different keys Alice encrypts with K1 and Bob decrypts with K2 Also called public key cryptography, since Alice and Bob can publicly post their public keys 5

Secret Key Crypto M C M E D Alice K K Bob Without K, Eve cannot decrypt C Eve 6

Crypto Confidentiality: Encryption and Decryption Functions Private Key Public Key Stream Ciphers Block Ciphers? 7

Block ciphers vs. Stream ciphers Stream Ciphers Combine (e.g., XOR) plaintext with pseudorandom stream of bits Pseudorandom stream generated based on key XOR with same bit stream to recover plaintext E.g., RC4, FISH Block Ciphers Fixed block size Encrypt block-sized portions of plaintext Combine encrypted blocks (more on this later) E.g., DES, 3DES, AES 8

Stream Ciphers Useful when plaintext arrives as a stream (e.g., 802.11's WEP) Vulnerable if used incorrectly 9

Stream Ciphers Key reuse: [C(K) = pseudorandom stream produced using key K] E(M1) = M1 C(K) E(M2) = M2 C(K) Suppose Eve knows ciphertexts E(M1) and E(M2) E(M1) E(M2) = M1 C(K) M2 C(K) = M1 M2 M1 and M2 can be derived from M1 M2 using frequency analysis Countermeasure is to use IV (initialization vector) IV sent in clear and is combined with K to produce pseudorandom sequence E.g., replace C(K) with C(K IV) IVs should never be reused and should be sufficiently large WEP broken partly because IVs were insufficiently large modern stream ciphers take IVs, but it's up to the programmer to generate them 10

Stream Ciphers Substitution Attack: M = Pay me $100.00 E(M) = M C(K) Suppose Eve knows M and E(M) but doesn't know K She can substitute M for M' by replacing E(M) with: E'(M) = E(M) M M' = M C(K) M M' = C(K) M' Eve can then replace E(M) with E'(M), which Bob will decrypt message as M' ( Pay me $900.00 ) Countermeasure is to include message authentication code (more on this later) that helps detect manipulation (i.e., provides integrity and authenticity) 11

Generic Block Encryption Converts one input plaintext block of fixed size b bits to an output ciphertext block also of b bits Benefits of large b? of short b? plaintext block 0 block 1 block 2 key Encryption ciphertext block 0 block 1 block 2 12

Two Principles for Cipher Design Confusion: Make the relationship between the <plaintext, key> input and the <ciphertext> output as complex (non-linear) as possible Mainly accomplished by substitution Diffusion: Spread the influence of each input bit across many output bits Mainly accomplished by permutation Idea: use multiple, alternating permutations and subsitutions S P S P S... or P S P S P... Does it have to alternate?, e.g., S S S P P P S S... 13

Basic Form of Modern Block Ciphers Plaintext block Key Preprocessing Sub-Key Generation Rounds of Encryption i=1,2,,n Sub-Key #1 Sub-Key #2 Sub-Key #3 Sub-Key #n Postprocessing Ciphertext block 14

Feistel Cipher Very influential template for designing block ciphers Major benefit: do encryption and decryption w/ same hardware One round of Feistel Encryption 1. Break input block i into left and right halves L i and R i 2. Copy R i to create output half block L i+1 3. Half block R i and key K i are scrambled by function f 4. XOR result with input half-block L i to create output half-block R i+1 L i Input block i f R i K i L i+1 R i+1 Output block i+1 15

One Round of Feistel Decryption Output block i+1 L i R i f K i Just reverse the arrows! L i+1 R i+1 Input block i 16

Complete Feistel Cipher: Encryption Plaintext (2w bits) L 0 R 0 K 1 Round 1 f K 2 Round i f L 2 R 2 Round n f K n note this final swap! L n L n+1 R n+1 R n Ciphertext 17 (2w bits)

Feistel Cipher: Decryption Ciphertext (2w bits) L 0 R 0 K n Round 1 f K n-1 Round i f L 2 R 2 Round n f K 1 note this final swap! L n L n+1 R n+1 R n Plaintext (2w bits) 18 CSC 474

Data Encryption Standard (DES) Introduced by the US NBS (now NIST) in 1972 Signaled the beginning of the modern area of cryptography Basics Feistel Cipher 8-byte (64 bit) input 8-byte (64 bit) output 8-byte key (56 bits + 8 parity bits) 16 rounds 64-bit Input Initial Permutation Round 1 Round 2 Round 16 Swap Halves 48-bit K 1 48-bit K 2 48-bit K 16 56-bit Key Generate round keys Final Permutation 19 64-bit Output

DES Round: f (Mangler) Function function f = Mangler Input block i 32-bit half block L i R i Expansion f K i S-Box (substitution) 48 bits K i L i+1 R i+1 Output block i+1 Permutation 32-bit half block 20

Substitution Box (S-Box) A substitution box (or S-box) is used to obscure the relationship between the plaintext and the ciphertext Shannon s property of confusion: the relationship between key and ciphertext is complex as possible In DES, S-boxes are carefully chosen to resist cryptanalysis Thus, that is where the security comes from Example: Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits, and the column using the inner four bits. For example, an input "011011" has outer bits "01" and inner bits "1101"; the corresponding output would be "1001". 21

Avalanche Effect in DES: Change in Plaintext Round δ Round δ 02468aceeca86420 12468aceeca86420 1 3cf03c0fbad22845 3cf03c0fbad32845 2 bad2284599e9b723 bad3284539a9b7a3 3 99e9b7230bae3b9e 39a9b7a3171cb8b3 4 0bae3b9e42415649 171cb8b3ccaca55e 5 4241564918b3fa41 ccaca55ed16c3653 6 18b3fa419616fe23 d16c3653cf402c68 7 9616fe2367117cf2 cf402c682b2cefbc 8 67117cf2c11bfc09 2b2cefbc99f91153 1 9 c11bfc09887fbc6c 99f911532eed7d94 1 10 887fbc6c600f7e8b 2eed7d94d0f23094 5 11 600f7e8bf596506e d0f23094455da9c4 18 12 f596506e738538b8 455da9c47f6e3cf3 34 13 738538b8c6a62c4e 7f6e3cf34bc1a8d9 37 14 c6a62c4e56b0bd75 4bc1a8d91e07d409 33 15 56b0bd7575e8fd8f 1e07d4091ce2e6dc 32 16 75e8fd8f25896490 1ce2e6dc365e5f59 33 IP 1 da02ce3a89ecac3b 057cde97d7683f2a 32 34 37 31 29 33 31 32 32 22 (from Stallings, Crypto and Net Security)

Avalanche Effect in DES: Change in Key Round δ Round δ 02468aceeca86420 02468aceeca86420 1 3cf03c0fbad22845 3cf03c0f9ad628c5 2 bad2284599e9b723 9ad628c59939136b 3 99e9b7230bae3b9e 9939136b768067b7 4 0bae3b9e42415649 768067b75a8807c5 5 4241564918b3fa41 5a8807c5488dbe94 6 18b3fa419616fe23 488dbe94aba7fe53 7 9616fe2367117cf2 aba7fe53177d21e4 8 67117cf2c11bfc09 177d21e4548f1de4 0 9 c11bfc09887fbc6c 548f1de471f64dfd 3 10 887fbc6c600f7e8b 71f64dfd4279876c 11 11 600f7e8bf596506e 4279876c399fdc0d 25 12 f596506e738538b8 399fdc0d6d208dbb 29 13 738538b8c6a62c4e 6d208dbbb9bdeeaa 26 14 c6a62c4e56b0bd75 b9bdeeaad2c3a56f 26 15 56b0bd7575e8fd8f d2c3a56f2765c1fb 27 16 75e8fd8f25896490 2765c1fb01263dc4 32 IP 1 da02ce3a89ecac3b ee92b50606b62b0b 34 36 32 28 33 30 33 30 30 23 (from Stallings, Crypto and Net Security)

Cryptanalysis of DES DES has an effective 56-bit key length Wiener: $1,000,000-3.5 hours (never built) July 17, 1998, the EFF DES Cracker, which was built for less than $250,000 < 3 days January 19, 1999, Distributed.Net (w/eff), 22 hours and 15 minutes (over many machines) We all assume that NSA and agencies like it around the world can crack (recover key) DES in milliseconds What now? Give up on DES? 24

Variants of DES DESX (XOR with separate keys ~= 60-bits) DESX(m) =K 2 DES K (m K 1 ) Linear cryptanalysis Triple DES (three keys ~= 112 bits) Keys k 1, k 2, k 3, but in practice k 1 = k 3 C = E(D(E(p, k 1 ),k 2,k 3 ) Compatible with normal DES if k 1 = k 2 = k 3 k 1 k 2 k 3 p E D E c 25

Advanced Encryption Standard (AES) International NIST bakeoff between cryptographers Rijndael (pronounced Rhine-dall ) Replaced DES as the accepted symmetric key cipher Substitution-permutation network, not a Feistel network Variable key lengths (, 192, or 256 bits) Block size: bits Fast implementation in both hardware and software Small code and memory footprint 26

AES Encryption Process 27 (from Stallings, Crypto and Net Security)

AES Data Structures (from Stallings, Crypto and Net Security) 28

AES Encryption and Decryption 29 (from Stallings, Crypto and Net Security)

30 (from Stallings, Crypto and Net Security)

S-box S-box and Inverse Inverse S-box S-box (from Stallings, Crypto and Net Security) 31

Implementation Aspects AES can be implemented very efficiently on an 8-bit processor AddRoundKey is a bytewise XOR operation ShiftRows is a simple byte-shifting operation SubBytes operates at the byte level and only requires a table of 256 bytes MixColumns requires matrix multiplication in the field GF(2 8 ), which means all operations are carried out on bytes Designers believe this very efficient implementation was a key factor in its selection as the AES cipher 32 (from Stallings, Crypto and Net Security)

Modes of Operation Most ciphers work on blocks of fixed (small) size How to encrypt long messages? Modes of operation ECB (Electronic Code Book) CBC (Cipher Block Chaining) OFB (Output Feedback) CFB (Cipher Feedback) CTR (Counter) 33

Issues for Block Chaining Modes Information leakage: Does it reveal info about the plaintext blocks? Ciphertext manipulation: Can an attacker modify ciphertext block(s) in a way that will produce a predictable/desired change in the decrypted plaintext block(s)? Note: assume the structure of the plaintext is known, e.g., first block is employee #1 salary, second block is employee #2 salary, etc. Parallel/Sequential: Can blocks of plaintext (ciphertext) be encrypted (decrypted) in parallel? Error Propagation: If there is an error in a plaintext (ciphertext) block, will there be an encryption (decryption) error in more than one ciphertext (plaintext) block? 34

Electronic Code Book Plaintext (ECB) M 1 M 2 M 3 M 4 46 + padding Key E E E E Ciphertext C 1 C 2 C 3 C 4 The easiest mode of operation; each block is independently encrypted 35

ECB Decryption M 1 M 2 M 3 M 4 46 + padding Key D D D D C 1 C 2 C 3 C 4 Each block is independently decrypted 36

ECB Issues Information leaks: two ciphertext blocks that are the same Manipulation: switch ciphertext with predictable results on plaintext (e.g., shuffle). Parallel: yes Propagate: no Plaintext ECB Other modes 37

Cipher Block Chaining (CBC) M 1 M 2 M 3 M 4 46 + padding Initialization Vector Key E E E E C 1 C 2 C 3 C 4 Chaining dependency: each ciphertext block depends on all preceding plaintext blocks 38

Initialization Vectors Initialization Vector (IV) Used along with the key; not secret For a given plaintext, changing either the key, or the IV, will produce a different ciphertext Why is that useful? IV generation and sharing Random; may transmit with the ciphertext Incremental; predictable by receivers 39

CBC Decryption M 1 M 2 M 3 M 4 46 + padding Initialization Vector Key D D D D C 1 C 2 C 3 C 4 How many ciphertext blocks does each plaintext block depend on? 40

CBC Properties Does information leak? Identical plaintext blocks will produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (encryption), yes (decryption) Do ciphertext errors propagate? yes (encryption), a little (decryption) 41

Output Feedback Mode (OFB) Initialization Vector one-time pad Key E Pseudo-Random E Number Generator E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 42

OFB Decryption IV one-time pad Key E E E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 No block decryption required! 43

OFB Properties Does information leak? identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (generating pad), yes (XORing with blocks) Do ciphertext errors propagate???? 44

OFB (Cont d) If you know one plaintext/ciphertext pair, can easily derive the one-time pad that was used i.e., should not reuse a one-time pad! Conclusion: IV must be different every time 45

Cipher Feedback Mode (CFB) IV Key E E E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 Ciphertext block C j depends on all preceding plaintext blocks 46

CFB Decryption IV Key E E E E M 1 M 2 M 3 M 4 46 + padding C 1 C 2 C 3 C 4 No block decryption required! 47

CFB Properties Does information leak? Identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably???? Parallel processing possible? no (encryption), yes (decryption) Do ciphertext errors propagate???? 48

Counter Mode (CTR) IV IV++ IV++ Key E E E M 1 M 2 M 3 C 1 C 2 C 3 49

CTR Mode Properties Does information leak? Identical plaintext block produce different ciphertext blocks Can ciphertext be manipulated profitably??? Parallel processing possible Yes (both generating pad and XORing) Do ciphertext errors propagate???? Allow decryption the ciphertext at any location Ideal for random access to ciphertext 50

Basic truths of cryptography Cryptography is not frequently the source of security problems Algorithms are well known and widely studied Vetted through crypto community Avoid any proprietary encryption Claims of new technology or perfect security are almost assuredly snake oil 51

Building systems with cryptography Use quality libraries SSLeay, cryptolib, openssl Find out what cryptographers think of a package before using it Code review like crazy Educate yourself on how to use library Understand caveats by original designer and programmer 52

Common pitfalls Generating randomness Storage of secret keys Virtual memory (pages secrets onto disk) Protocol interactions Poor user interface Poor choice of parameters or modes 53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback