Cryptography Foundations Symmetric cryptography (conventional encryption) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 1
Outline Symmetric cryptography Symmetric encryption algorithms Attacks: brute-force vs. cryptanalysis Cipher block modes of operation Padding Encryption devices: location and management Key-distribution with symmetric cryptography 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 2
Outline Symmetric cryptography Symmetric encryption algorithms Attacks: Brute Force vs. Cryptanalysis Cipher block modes of operation Padding Encryption devices: location and management Key-distribution with symmetric cryptography 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 3
Symmetric cyphers Block-Oriented (or block ciphers) Used with different block modes of operation Byte-oriented modes vs. N-bytes-block-oriented modes Blocks with fixed size Key sizes and block sized defined (fixed) for each algorithm (you must know it) Stream-oriented (or stream ciphers) byte-stream-oriented or bit-stream-oriented operation Variable key-sizes (algorithm dependent) Fast to operate on stream-oriented inputs (bytes, bits) Ex., real-time, iterative-traffic or low-latency communication requirements 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 4
Characterized by: Block size (larger means greater security) Key size (larger means greater security) Round transformation function (greater complexity means more resistance) Number of rounds (multiple rounds increase security) Type of operations in a round function Substitutions (Sboxes) Transpositions by permutations with possible block expansion or block reduction (Pboxes), rotations (rotation tables) Boolean operations (XOR) Sub-key generation in each round (from the input key) Algebraic operations (modular arithmetics, matrix -operations, operations in GF2, etc.) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 5
Security Remember the robustness and assessment criteria (brute -force, test-analysis, cryptanalysis,. previous classes) Requires complexity (complex transformations in each round), large number of rounds, large keysize, large blocks Fast operation (performance) Speed of the algorithm is a concern Simplicity (ex., HW implementations and embedded solutions, fast computation, low computational cost, energy-savings, Ease of analysis Simplicity in the internal reference structure analyzable : formalisms and mathematical foundations The interesting algorithms must balance these tradeoffs, maximizing each criteria 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 6
Horst Feistel, IBM, 1973 Base structure for many symmetric algorithms (ex., DES) Decryption implemented as Encryption (input: ciphertext, and use of sub-keys in the reverse order) In each round: Li = Ri-1 Ri = Li-1 xor F(Ri-1, Ki) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 7
Symmetric block cyphers: AES, DES Figures in AES: 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 8
Performance of algorithms Comparisons in Java (standard JDK and Sun Crypto-Provider) http://www.javamex.com/tutorials/cryptography/ciphers.shtml http://www.javamex.com/tutorials/cryptography/hash_functions_algorithms.shtml See also: Openssl speed benchmark (speed test library performance) http://wikis.sun.com/display/cryptoperf/ultrasparc+cryptographic+performance 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 9
Data Encryption Standard (DES) The most widely used encryption scheme, until 2000 The algorithm is reffered to the Data Encryption Algorithm (DEA) DES is a block cipher The plaintext is processed in 64-bit blocks The key is 56-bits in length 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 10
DES Algorithm Base: Feistel structure: The overall processing at each iteration (round): Li = Ri-1 Ri = Li-1 F(Ri-1, Ki) Security concerns about: >The algorithm and the key length (56-bits) > Weak, semi-weak or potentially weak keys > 1998, EFF, DES cracker machine (3 days) > 10 hours (machine Doing 10^6 decryptions/ microsec 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 11
Initial and final permutations 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 12
16 Rounds Sub-Key Generation For each roud Henric Johnson 13 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 13
Expansion/Permutation (EP box) and Pbox In: 32 bits EP Box Out: 48 bits In: 32 bits Pbox Out: 32 bits 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 14
Substitution Boxes (for 16 rounds) Ex: 011101 0011 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 15
S boxes (S1 to S4) Valores de entrada: 0 (000000) a 63 (111111) Ex: 011101 0011 Note: values in each sbox: 0 to 15 (0000 a 1111) Ex: 8º sexteto MS 011101 01 (row 1) 1110 (column 14) Then: 011101 3, then output is 0011 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 16
Sboxes (S5 a S8) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 17
Sub-Key Generation For each roud Henric Johnson 18 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 18
Sub-key generation A sub-key is generated in each round PC1: two halfs (28 bits) obtained by permutation In each round, each half is rotated for the next round Input Key (56 bits) 2 Initial Sub-Keys (28 bits) (Initial Permutation PC1) 16 rotations (one per round): a specific rotation is defined for each round PC2: In each round, a permutation with reduction (56 > 48 bits) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 19
PC2 sub-key rescheduling 56 bits (28 left + 28 right) Block Ri-1 Key-Rotation XOR 48 bits PC2 S-BOX (round i) Key-Rotation (for the next round) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 20
Multiple Encryption & DES Clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search attacks Cryptanalysis: demonstrated vulnerabilities Weak, Semi-Weak and Potentially Weak keys AES is a new cipher alternative The standard symmetric encryption for the XXI century Promoted by different organizations: NIST, ANSI, etc Prior to this alternative was to use multiple encryption with DES implementations Triple-DES is the chosen form Compatibility, during the adoption of AES 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 21
Double-DES? No thanks Could use 2 DES encrypts on each block C = [ E K2 ( E K1 (P) ] Issue of reduction to single stage with single key (1992) and have meet-in-the-middle attack works whenever use a cipher twice since X = E K1 (P) = D K2 (C) attack by encrypting P with all keys and store then decrypt C with keys and match X value can show takes O(2 56 ) steps 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 22
Triple-DES with Two-Keys hence must use 3 encryptions would seem to need 3 distinct keys but can use 2 keys with E-D-E sequence C = E K1 (D K2 (E K1 (P))) Encrypt & decrypt equivalent in security If K1=K2 then can work with single DES (compatibility) standardized in ANSI X9.17 & ISO8732 Effective key length of 112 bits no current known practical attacks But the use of 3 keys is better (improvement of the key-length effect) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 23
Although are no practical attacks on two-key TripleDES have some indications can use Triple-DES with Three-Keys to avoid even these C = [ E K3 [ D K2 (E K1 (P) ] ] has been adopted by some Internet applications, eg PGP, S/MIME Paranoid? Use N times DEA with N different keys Problem? Effective key lenght: 168 bits Note: Triple or N-encryptiondecryption can be applied to any block cipher algorithm 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 24
TEMK Triple Encryption with Minimum Key Constants T1, T2 and T3 and Two initial Keys: K1, K2 to derive three keys: KX1, KX2, KX3 for triple encryption KXi = D(K2, E(K1,Ti)) Use of Triple encryption modes (ex., Inner CBC, Outer CBC) Triple encryption with prefix-pads (pad size < block size) Doubling Block Length Space Ntuple Encryption: ex., n=5, 3 keys, C=Ek1(Dk2(Ek3(Dk4(Ek5(P))))) Witening technique: C= K3 XOR E( K2, ( P XOR K1) ) Cascading multiple block ciphers: it is at least as hard to break as any of its component ciphers Combination technique Random bit-string R with the same size as M C = E(K1, R) XOR E(K2, (M XOR R) ) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 25
International Data Encryption Algorithm (IDEA) 128-bit key Used in PGP Blowfish Easy to implement High execution speed Run in less than 5K of memory 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 26
RC5 Suitable for hardware and software Fast, simple Adaptable to processors of different word lengths Variable number of rounds Variable-length key Low memory requirement High security Data-dependent rotations Cast-128 Key size from 40 to 128 bits The round function differs from round to round 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 27
Skypjack Example of simple symmetric crypto, interesting for small devices and HW implementation (very usual before AES implementations in HW for embeded systems and small devices, such as micro-sensos, motes, etc 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 28
Symmetric block cyphers and characteristics Criptografia Simétrica > Estabelecimento de canais Operations seguros (Confidencialidade) (standadization) > Problemas da partilha (distribuição) XOR, S-boxes, P-Boxes das chaves. SET, Kerberos 56 16 Criptografia Assimétrica EP Boxes, Rotations,... Confidencialidade: cifra com chave pública Financial standards 112/168 48 Autenticidade: assinaturas (cifra com chave E-commerce, privada) PGP idem S/MIME, SSL Envolver sínteses (one-way hashing nas assinaturas) XOR, addition mod 2^16 Não repúdio: 128 garantida 8 no,multiplication pressuposto mod 2^16 de não PGP, revogação SSL da chave num dado tempo XOR + shift > Operação mais lenta Alg. Key size Rounds Structure Applications DES 3DES IDEA TEA Blowfish RC5 Cast-128 128 < 448 < 2048 40-128 32 16 < 255 16 AES 128, 192, 256 10,12,14 XOR + Variable S-boxes Addition, subtraction XOR and rotation operations Addition, Subtraction, XOR, Rotation and S-boxes S boxes, Matrix SR-MC, XOR 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 29 SSL PGP Many: promoted as a standard after 2000 Later Later Jump AES Later
Symmetric block cyphers and characteristics Alg. Key size Rounds Structure Applications Operations (standadization) Skypjack 80 bits 4 x 8 = XOR, P-Boxes 32 Matrix-based Exp... Sensors, WSN communication 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 30
Skypjack W i 0 32 rounds W i 32 SKIPJACK is a 64-bit codebook utilizing an 80-bit cryptovariable (Key) SKIPJACK encrypt/decrypt 4-word (64-bit) data blocks by alternating between the two stepping rules (A and B) Input = W i0, 1 i 4, (i.e., k=0 for the beginning step), Counter initialized = 0 Steps (32 rounds of 8 step rules): Rules A, B, C, D The Counter Increment by one after each step The Output = W i 32, 1 i 4 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 31
Decryption Rule (A -1 and B -1 ) Rule A -1 W 1 k-1 = [G k-1 ] -1 (w 2k ) W 2 k-1 = w 3 k W 3 k-1 = w 4 k W 4 k-1 = w 1 k w 2 k counter k-1 Rule B -1 W 1 k-1 = [G k-1 ] -1 (w 2k ) W 2 k-1 = [G k-1 ] -1 (w 2k ) w 3 k counter k-1 W 3 k-1 = w 4 k W 4 k-1 = w 1 k 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 32
G - Permutation 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 33
Design Features in HW SKIPJACK module implemented easily as a peripheral HW device (as a crypto module) with 16-bit host interface Data interface to the module using read/write operation to the registers Single design for Encryption and Decryption - Based upon a flag in control register Device specific look-up ROMs used for look-up tables Fast, Low-memory requirements, Weak Energy requirements (for the case of wireless devices with autonomous batteries) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 34
F -Table and Cryptovariable F -Table The F function is a G permutation in a look up table Row = The higher order 4-bit index Column = The lower order 4-bit index Cryptovariable The Cryptovariable (key) is 10 bytes = 80 bits long (labeled 0 through 9) and used in its natural order Cryptovariable subscript is used in G-Permutation are interpreted mod -10 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 35
Example of Top Level Design Two major verilog module Regmem module for external I/O interface Algorithm module for encrytion/decryption 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 36
Memory Map 13 total registers 12 for data interface 1 register for control 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 37
Interface Description Device Inputs Input data buffer: 4 word (64-bits) Cryptovariable (key) buffer: 5 word (80-bits) Operating flag: Encrypt/Decrypt (1 for encryption, 0 for decryption) Start (writing a 1 starts the operation) Device Outputs Output data buffer: 4 word (64-bits) Operating flag: Done (a 1 indicates that the last operation is complete) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 38
Algorithm Module 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 39
Algorithm Module - Blocks Control State Machine Controls the encryption/decryption process; K-Counter, Register Loading, Done indication bit Triggered by the Start command bit in control registers Fiestel Module Implements the G and G -1 function using logic and 4 look-up tables for F function P_reg1 through P_reg4 used for SKIPJACK data operation Input buffer can be reloaded with new data while operation is performed on the previous data - Speeds up throughput K-Counter Up/Down counter with preset and reset 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 40
Algorithm Module - State Machine 5-State machine to control both encryption/decryption 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 41
Algorithm Module - Feistel Module 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 42
Feistel Module - Description Single module to compute G and G -1 function Control based upon Enc_Decn control bit Reverses the input byte order to perform G -1 function (flipping the Fiestel structure to G function) 4 look-up ROMs (Altera specific) to implements F function 4 multiplexers 10:1 to select one of the 10 CV byte, controlled from the k-cntr look-up mechanism One 32 entry look-up ROM to eliminate mod 10 computation of 4k, 4k+1, 4k+2, 4k+3 4 multiplexers 2:1 (4-bit) to select the index for the encryption or decryption 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 43
AES 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 44
AES (Advanced Encryption Standard) Origins and characteristics clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks can use Triple-DES but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted (Jun/98), 5 were shortlisted in Aug/99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001 designed by Rijmen-Daemen in Belgium an iterative rather than feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round designed to be: resistant against known attacks speed and code compactness on many CPUs Simple to analyze 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 45
AES Requirements NIST Established the following reference criteria for proposals: Secret key / symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years (+ archival use) provide full specification & design details both C & Java implementations NIST have released all submissions & unclassified analyses 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 46
AES structure Not a Feistel structure Data block of 4 columns of 4 bytes is state (128 bits) Key is expanded to array of words (44 words of 32 bits) Has 9/11/13 rounds in which state undergoes: I : byte substitution (1 S-box used on every byte) II : shift rows (permute bytes between groups/columns) III : mix columns (subs using matrix multipy of groups) IV : add round key (XOR state with key material) view as alternating XOR key & scramble data bytes Initial XOR key material & incomplete last round With fast XOR & table lookup implementation 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 47
Advanced Encryption Algorithm (AES) Internal structure Ex., 10 rounds for 128 bit keys Successive processing of block-state arrays, combined with the expanded key 128 bit sub-key in each round 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 48
Input/Output State Array and Key Expansion 16 rounds of successive transformation of a 128 bit blocks (state arrays), organized as a square matrix of bytes (16x16 bits, ordered by column) Key expanded from initial size (as a square matrix of bytes) to 44 columns (44 words, 4 bytes each) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 49
Byte Substitution A simple substitution of each byte (defined) Uses one table of 16x16 bytes containing a permutation of all 256 8-bit values Each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits) eg. byte {95} is replaced by byte in row 9 column 5 which has value {2A} S-box constructed using defined transformation of values (byte-to-byte substitution of the block), byte values as polynomials in GF(2 8 ) designed to be resistant to all known attacks 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 50
Shift Rows a circular byte shift in each each 1 st row is unchanged 2 nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left decrypt inverts using shifts to right since state is processed by columns, this step permutes bytes between the columns 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 51
Mix Columns each column is processed separately / each byte is replaced by a value dependent on all 4 bytes in the column effectively a matrix multiplication in GF(2 8 ) using prime poly m(x) =x 8 +x 4 +x 3 +x+1 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 52
Add Round Key XOR state with 128-bits of the round key again processed by column (though effectively a series of byte operations) inverse for decryption identical since XOR own inverse, with reversed keys designed to be as simple as possible a form of Vernam cipher on expanded key requires other stages for complexity / security 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 53
I Advanced Encryption Algorithm (AES) XXXXX II III IV 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 54
Stream ciphers Block cipher (with ECB mode of operation) Structure for stream ciphers Possible implementation with block ciphers. How? 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 55
Stream ciphers process message bit by bit (as a stream) have a pseudo random keystream combined (XOR) with plaintext bit by bit randomness of stream key completely destroys statistically properties in message C i = M i XOR StreamKey i but must never reuse stream key otherwise can recover messages (cf book cipher) some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity properly designed, can be as secure as a block cipher with same size key but usually simpler & faster 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 56
RC4 Proprietary cipher owned by RSA DSI Another Ron Rivest design, simple but effective Variable key size, byte-oriented stream cipher Widely used (web SSL/TLS, wireless WEP) Key forms random permutation of all 8-bit values Uses that permutation to scramble input info processed a byte at a time 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 57
RC4 Key Schedule starts with an array S of numbers: 0..255 use key to well and truly shuffle S forms internal state of the cipher // Initialization, S and T for i = 0 to 255 do S[i] = i T[i] = K[i mod keylen]) // Initial Permutation of S j = 0 for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j]) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 58
RC4 Encryption encryption continues shuffling array values sum of shuffled pair selects "stream key" value from permutation XOR S[t] with next byte of message to en/decrypt i = j = 0 for each message byte M i i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(s[i], S[j]) t = (S[i] + S[j]) (mod 256) C i = M i XOR S[t] 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 59
RC4 encryption model Algorithm explained in Stallings, Network Security Essentials (see section 2.4, Chapter 2) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 60
RC4 Security claimed secure against known attacks have some analyses, none practical result is very non-linear since RC4 is a stream cipher, must never reuse a key have a concern with WEP, but due to key handling and/or pattern-repetitions rather than RC4 itself 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 61
Other stream ciphers SEAL A series (ex., A5, A8, GSM) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 62
Outline Symmetric cryptography Symmetric encryption algorithms Attacks: Brute Force vs. Cryptanalysis Cipher block modes of operation Padding Encryption devices: location and management Key-distribution with symmetric cryptography 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 63
Also referred as conventional encryption, secret-key encryption or single-key encryption, or shared-secret key encryption Plaintext or cleartext M K ciphertext C K Plaintext or cleartext M (intelligible) Notation: M C={M}K M={C} K X Y= E[ K, X ] X=D [ K,Y ] 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 64
Block ciphers Modern symmetric methods (modern cryptography) Applied cryptography (computers, devices, HW, SW, ) Block-based design principles Initially inspired by classic methods (adapted for computers). More complexity Reference on standard structures: Ex., Feistel network structure Statistical properties Standardization Attacks: Brute Force attacks Differential and Linear Cryptanalysis principles Algebraic structures and operations Mathematic foundations 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 65
Stream ciphers Modern symmetric methods (modern cryptography) Applied cryptography (computers, devices, HW, SW, ) Stream-oriented processing Fast (ex., real-time bit-by-bit encryption/decryption) Also interesting for byte-streaming Interactive applications (ex., SSH) Download of byte-streams (ex., WEB, HTTP) Use of algebraic fast computations, boolean operations, modular arithmetic 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 66
Modern cryptography Key points Secrecy is in the key (not the algorithm, or its implementation) Publicly available, open specification, open validation More scrutiny more security Key-space, block-size implications Cryptanalysis: is the age of an algorithm an advantage? Modern symmetric encryption methods Algebraic structures Finite fields: groups, rings and fields Modular arithmetic Euclidean algorithm Finite fields of the form, GF(p) Polynomial arithmetic Finite fields of the form GF(2^n) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 67
Symmetric algorithms Block-oriented symmetric ciphers Ex., DES, TripleDES, IDEA, Skypjack, RC5, RC6, AES, Blowfish, Toofish, CAST-128,... Different modes of operation: ECB, CBC, CFB, OFB, CTR,... Stream-Ciphers Ex., RC4, SEAL, Katsumi, A-series (GSM), etc Bit-by-bit operation Byte-stream based transformations Hybrid structure is also possible: Stream Ciphers implemented with Block-Cipher building blocks 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 68
AES - Advanced Encryption Standard >> Originally Rijndael from Daemen and Rijmen Substitution of DES (NIST Call for proposals) http://en.wikipedia.org/wiki/advanced_encryption_standardevaluation Criteria for AES Keys: 128, 192, 256 bits, Block sizes: 128 bits High dispersion with a simple (auditable) and fast internal structure and algebraic proofs Block-operations in successive rounds» Block operated as a matrix» Substitution Boxes» Shift rows» Mix columns» XOR with sub-keys (generated form an expansion of the initial key) Implementation issues: simple and fast implementations in SW and HW, simple auditing Best indicators from all the NIST defined tests (CMVP) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 69
Symmetric cryptography requirements (1) An opponent who knows the algorithm and has access to one or more ciphertexts (C1, C2, Ci, Cn) would be unable to obtain the respective plaintexts (P1, P2, Pi, Pn), if she/he don t know the key K used to calculate Ci={Pi}K would be unable to figure out the key K, even if she/he is in possession of a number of pairs (Pi, Ci), with Ci = {Pi}K Security properties of symmetric ciphers Security in a symmetric encryption: depends on the secrecy of the secret key (as an input parameter for the encryption/decryption algorithm) not from the secrecy of the algorithm 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 70
Symmetric cryptography requirements (2) Security in symmetric cryptography requires: Sender and receiver (principals in a secure communication): must have obtained copies of the key K in a secure way (need a secure key-distribution protocol or secure key-establishment service) Must keep the shared keys K secure Key storage is an important concern Key exposition is an important concern Possible rekeying mechanisms (key-refreshments) for Perfect Backward Secrecy (PBS) and Perfect Future Secrecy (PFS) Prevention from possible compromising of keys Key-Independence ( perfect ) Fast or efficient rekeying may be an issue 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 71
Symmetric cryptography assessment Performance, implementation issues, test/certification Security concerns: Key size vs. Block Size: Robustness under Brute-Force Attacks Cryptanalysis attacks Cryptanalysis Differential cryptanalysis vs. Linear cryptanalysis Dispersion and entropy: formal distance tests between identical blocks resulting from different transformations of the same plaintext block Kasiski test: distance decomposition in prime factors and period evaluation with high probability as the CGD of the majority of evaluated distances Coincidence test: % of similar symbols in identical overlapping cryptograms in a progressive displacement Certification test programs and tools (ex., NIST CRYPTIK, METRIX http://csrc.nist.gov/groups/stm/cavp/ 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 72
Symmetric cryptography assessment Other current formal security verifications and proofs on symmetric cryptography: Sensibility to initial setup conditions Ex: Consequences in one bit changes Evaluation of uniform distribution characteristics Binary balance and mean entropy for a large number of generated keys (and consecutive sub-keys) and a large number of blocks (and consecutive sub-blocks) Auto and Cross Correlation in large number of generated keys /and consecutive sub-keys) Resistance to statistical attacks on pseudo-random generation mechanisms Performance/adaptability for specific purposes (HW, RAM, OS primitives, etc) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 73
Robustness and computational security criteria Robustness: if it is impossible (computationally impossible) to decrypt a message on the basis of the ciphertext plus the knowledge of the encryption/decryption algorithm Computational security criteria: Infinite time to break with available computing power and resources (processing power MIPS, memory, storage, ) what is infinite time? Ex., More than the universe lifetime 10^11 years? Ex., More than the universe time in several orders of magnitude? Finite time to break but time exceeds the useful lifetime of the protected information Finite time to break but requires infinite or impossible computing power and resources what is impossible computing power? Ex., A quantity of computers requiring more silicon or germanium atoms than the total quantity of atoms (estimated) available in our galaxy? Ex., Processing speed required will cause the fusion of the materials? Available computing can break before the useful lifetime of the protected information but the cost (money) of such computing resources exceeds the value of the protected information 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 74
Big numbers [Schneier 1996] 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 75
Without no inherent mathematical weaknesses: Brute-force attack On average: half of key space searched 1 computer Computing Power aggregation Practical terms: need more than key search - Plaintext knowledge - More difficult in other cases: binary, compressed, hashed data 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 76
DES, IDEA, RC5, TEA, CAST-128, AES-128, AES-192, AES-256 AES-256 AES-192 TDEA / 3DES IDEA, RC5, TEA CAST-128, AES-128 10^11 Universe lifetime DES 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 77
Moore s Law and other predictions http://en.wikipedia.org/wiki/moore's_law Processing power doubles, each 18 months In 10 years, computers will be 100 times more powerful (general resources). A desktop will fit into a cell phone Gigabit wireless connectivity everywhere Personal networks will connect our computing devices and the remote services we subscribe to. Other aspects of the future are much more difficult to predict Anyone can not predict what the emergent properties of 100x computing power will bring: new uses for computing, new paradigms of communication. A 100x world will be different, in ways that will be surprising. 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 78
More brute-force attack estimations Moore Law (computing power): double in each 18 months. Cost estimation to break Key size Year (attack) Ex., Breaking with $10 Millions in 2000: Extrapolation using the Moore law 80 96 112 128 144 160 176 192 208 224 240 256 2010 2034 2058 2082 2106 2130 2154 2178 2202 2226 2250 2274 Symmetric Alg. (key sizes) Public- Key (ECC) Public Key (RSA) Time to Break Storage needs 56 112 420 < 5 min Trivial 80 160 760 600 months 96 192 1020 3x10^6 years 128 256 1620 10^16 years 4GB 170GB 120TB Robert Silverman, Technical Report RSA Laboratories, 2000 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 79
Brute-Force conclusions Even if managed to speed up by a factor of 1 trillion (10^12) Brute force attacks on 128 bit keys require 1 million years So, in practice, 128 bit keys (no weak keys, generated randomly and securely established and maintained) are unbreakable with brute-force attacks From this baseline the next security problem is the possible cryptanalysis attacks against specific algorithms 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 80
Cryptanalysis Process of attempting to discover the plaintext or key, from the known or available information Cryptanalytic attacks: opponents using cryptanalysis - difficult High security criteria + difficult More commonly employed 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 81
Confidentiality using symmetric encryption Best-Practices and Bad-Practices Concerns behind keys: Key maintenance, Key-exposition Key-distribution, Key-establishment Placement of the encryption/decryption function Key-generation process and (random)-number generation Key-generation process and weak-keys discarding Perfect forward vs. backward secrecy Rekeying needs Recuperation of keys How to use Cipher Block Modes of operation in a secure way (or how to choose the correct mode) Padding and its relevance Combination of methods: secure combination? Dynamic configuration of cipher-suites and security association parameters / protocol design and implementation 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 82
Key-management in symmetric cryptography The previous problems are very relevant! In symmetric cryptography the key is the same for encryption /decryption Secret key-shared For 2 principals: 1 shared key 3 principals: 3 keys 4 principals: 6 keys 6 principals: 15 keys N principals: n(n-1)/2 keys O(n 2 ) Problem for secure-key-distribution, establishment and management Non KDC based (pre-established keys) KDC based (client/server model) Redundant KDCs (client/server group), ex., 1, 2, 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 83
Assessment approaches Assessment classic techniques Kasisky tests Frequency analysis Superposition and coincidence counting Friedman tests (variance analysis) See statistical analysis http://en.wikipedia.org/wiki /Comparison_of_statistical_packages Other tests: Uniform distribution Binary balance ( 0 and 1 distribution) Entropy metrics (ex., medium value in two consecutive keys Auto-Correlation or cross-correlation 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 84
Assessment approaches Conjugated statically tests in a battery (tools) Ex., Randomness tests: http://stat.fsu.edu/pub/diehard Assessment or certification programs and tools Ex., NIST: Ex: http://csrc.nist.gov/groups/st/toolkit/index.html 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 85
Outline Symmetric cryptography Symmetric encryption algorithms Cipher block modes of operation Padding Encryption devices: location and management Key-distribution with symmetric cryptography 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 86
Modes of Operation Block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks with 56-bit key need some way to encrypt/decrypt arbitrary amounts of data in practice ANSI X3.106-1983 Modes of Use (now FIPS 81) defines 4 possible modes: ECB, CBC, CFB, OFB subsequently 5 defined for AES & DES: CTR have block and stream modes 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 87
Plaintext blocks encrypted in an independent weay Fast, parallelizable Message repetitions may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code -book analysis problem Weakness is due to the encrypted message blocks being independent: same plaintext blocks produces the same cyphertext blocks (using the same key) Main use is sending a few blocks of data 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 88
ECB: manipulation of encrypted blocks Ex., electronic banking transaction, ref. with DES 1 block = 64 bits Timestamp OPcode Swift Code ID Bank Orig. Swift Code ID Bank Dest Name of entity: Ex., 6 blocks IBAN Dest. Account Ex., 4 blocks Ammount EUROS Bank A Mallory Eavesdropping + Message Replying + Message Tampering (on specific blocks) Bank B 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 89
ECB (graphics, patterns) Plaintext and Ciphertex with ECB What we want 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 90
Cipher Block Chaining Mode (CBC) The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. Repeating pattern of 64-bits are not exposed Use Initial Vector (IV) to start process C i = DES K1 (P i XOR C i-1 ) C -1 = IV Uses: bulk data encryption, authentication Same plaintext blocks => Different cyphertext blocks, even when the same key is used (different IVs) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 91
Henric Johnson 92 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 92
Security Performance + Security: plaintext patterns concealed by XORing with previous ciphertext blocks Input to blocks randomized by the previous cipher text block + Any change to a block affects all following ciphertext blocks +/- Plaintext somewhat difficult to manipulate Only 1 st block and last block can be removed) Bits changed in the first block: repetition allows controlled changes + More than one message can be encrypted with the same key + A ciphertext block depends on all blocks before it + Speed in ~the same as block cipher - But ciphertext is up to one block longer than the plaintext - No pre-processing is possible -/+ Encryption is not parallelizable, but decryption is parallelizable and has a random-access property 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 93
Fault-Tolerance - Need Initialization Vector (IV) which must be known to sender & receiver Requires synchronization if sent in clear, attacker can change bits of first block, and change IV to compensate hence IV must either be a fixed value (as in EFTPOS) or must be sent encrypted in ECB mode before rest of message A cipher text error affects one full plaintext block and the correspondent bit in the next block Synchronization errors unrecoverable 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 94
Cipher Feedback Mode (CFB) Conversion of a block ciphers as stream cipher (byte-oriented block cipher) Message is treated as a stream of bits Added to the output of the block cipher Result is feed back for next stage (hence name) Standard allows any number of bit (1,8, 64 or 128 etc) to be feed back denoted CFB-1, CFB-8, CFB-64, CFB-128 etc Most efficient to use all bits in block (64 or 128) C i = P i XOR DES K1 (C i-1 ) C -1 = IV Uses: stream data encryption, authentication 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 95
2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 96
Security + Appropriate when data arrives in bits/bytes, most common stream mode (without counting) + Plaintext concealed, input to block cipher is randomized + More than one message can be encrypted with the same key (changing the IV) +/- Plaintext somewhat difficult to manipulate Only 1 st block and last block can be removed) Bits changed in the first block: repetition allows controlled changes Performance + Speed is ~the same as the block cipher + Cipher text with the same size than plaintext (not counting the IV) +/- Encryption not parallelizable, decryption parallelizable and has a random access property + Some pre-processing is possible (previous cipher text can be encrypted (before a new plaintext block) Note that the block cipher is used in encryption mode at both 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 97
Fault-tolerance Limitation is need to stall while do block encryption after every n-bits Errors propogate for several blocks after the error: affecting correspondent bits of plaintext and the next full block Synchronization errors of full block sizes are recoverable. A 1-bit CFB can recover from the addition or loss of single bits 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 98
message is treated as a stream of bits output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance C i = P i XOR O i O i = DES K1 (O i-1 ) O -1 = IV uses: stream encryption on noisy channels 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 99
Security Performance + Plaintext patterns concealed + Input to the block cipher is randomized + More than one message can be encrypted with the same key (provided that a different IV is used) - Plaintext is very easy to manipulate; any change in cipher text directly affects the plaintext - more vulnerable to message stream modification A variation of a Vernam cipher hence must never reuse the same sequence (key+iv) originally specified with m-bit feedback (but subsequent research has shown that only full block feedback ie CFB-64 or CFB-128) should ever be used for high security) + Speed is ~the same as block cipher - Cipher text is the same size as the plaintext, not counting the IV + Pre-Processing possible before the message is seen -/+ not parallelizable 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 100
Fault-tolerance + Bit errors do not propagate - Cipher text error affects only the corresponding bit of plaintext - But sender & receiver must remain in sync: synchronization error not recoverable 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 101
A new mode, though proposed early on Similar to OFB but encrypts counter value rather than any feedback value Must have a different key & counter value for every plaintext block (never reused) C i = P i XOR O i O i = DES K1 (i) Uses: high-speed network encryptions 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 102
2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 103
Security Same criteria as OFB Random access to encrypted data blocks Provable security (good as other modes) But must ensure never reuse key/counter values, otherwise could break (cf OFB) Performance Efficiency + ~The same Better than OFB Parallelizable: can do parallel encryptions in h/w or s/w can pre-process in advance of need good for bursty high speed links Performance as OFB 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 104
Security CBC (entire blocks), CFB (mainly with m-bit blocks, more secure => larger m) ECB, OFB and Counter: plaintext easy to manipulate Performance ECB, CTR (parallelizable) CFB (only partial parallelization in the decryption) CBC same but no pre-processing OFB no parallelization, no pre-processing Fault-Tolerance CFB - synchronization errors of full block sizes are recoverable, but cipher text error affect the correspondent bit of plaintext + the next full block), OFB, CTR (ciphertext errors only affect the correspondent bit in plaintext) ECB, CBC, OFB, CTR - Sync. Errors unrecoverable, 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 105
OCB Mode (generic encryption mode) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 106
OCB Mode (Authentication computation) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 107
Other usual modes (Wireless communication settings) Mix counter modes, efficient block-chaining, merging in general encryption with authentication proofs, with the same goals as OCB Examples: IAPM XCBC CCM EAX GCM CWC PCFB CS 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 108
Comparative analysis See, ex: Svenda, IPICS 2004, Basic comparison of Modes for Authenticated-Encryption (IAPM, XCBC, OCB, CCM, EAX, CWC, GCM, PCFB, CS) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 109
Interleaving technique Ex., CBC Interleaving Multiplex/Demultiplex with Interleaving Single message Multiple messages 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 110
Outline Symmetric cryptography Symmetric encryption algorithms Cipher block modes of operation Padding Encryption devices: location and management Key-distribution with symmetric cryptography 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 111
Message Padding At end of message must handle a possible last short block which is not as large as blocksize of cipher pad either with known non-data value (eg nulls) or pad last block along with count of pad size eg. [ b1 b2 b3 0 0 0 0 5] means have 3 data bytes, then 5 bytes pad+count this may require an extra entire block over those in message Padding standardization: PKCS#5, PKCS#7, OAEP, etc See practical classes / labs - examples There are other, more esoteric modes, which avoid the need for an extra block 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 112
Outline Symmetric cryptography Symmetric encryption algorithms Cipher block modes of operation Padding Encryption devices: location and management Key-distribution with symmetric cryptography 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 113
Security principles Correct use of symmetric cryptography Need for secure key-distribution and management Choose between block and stream ciphers, according with the application needs and security concerns Key-sharing is an issue for applications with a large number of principals One only key for all the principals is not a good idea Possible approach: pair-wise shared keys Problem: for N principals you need to establish N x (N-1)/2 keys in the environment 1 for 2, 3 for 3, 6 for 4, 10 for 5,. 45 for 10, 4500 for 100, 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 114
Security principles Minimize the exposition of keys Minimal exposition in memory during runtime processes (discard as far as you don t need) Paranoid: delete/rewrite memory in explicit way with random bits 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 115
2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 116
Link encryption: A lot of encryption devices (smart cards, TPMs) High level of security Decrypt each packet at every switch End-to-end encryption The source encrypt and the receiver decrypts Payload encrypted Header in the clear But you can encrypt headers with tunneling techniques (how?) High Security: Both link and end-to-end encryption are needed Virtualization VMs and Isolation (Hypervisor solutions) CPU Virtualization + I/O Virtualization Network perimiter defenses 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 117
Managing keys securely Different keys (or different passwords, different key seeds, etc...) for different security domains Managed with a MASTER KEY protecting a Trust Repository (Software vs. Hardware local strong encryption) http://hackaday.com/2010/09/27/gpu-processing-and-password-cracking/ Keys and Cryptographic functions inside trust computing modules (smartcards, HW tamper proof modules or TPMs) 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 118
Outline Symmetric cryptography Symmetric encryption algorithms Cipher block modes of operation Padding Encryption devices: location and management Key-distribution with symmetric cryptography 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 119
Establishment of symmetric keys Scale problem and key-management issues How many shared keys are managed by each principal? Possibility: 1 only key, shared with everybody (not good idea) One key shared by a pair of principals (pairwise keys): Combinations N, 2-2: N x (N-1)/2 chaves 10 principals: 45 keys, 11 pricipals: 55 keys,... How to retrieve a loss key? How to dismiss (revoke) compromised keys End-to-End vs. Link-to-link level PFS and PBS problem Perfect future secrecy and Perfect Backword Secrecy Key-independence for Perfect Fast methods for ReKeying Key-contribution and fairness requirements 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 120
You need secure key-distribution protocols to use cryptography Possible solutions 1. A key could be selected by A and physically delivered to B, involving a key-agreement between A and B 2. A third party could select the key and physically deliver it to A and B 3. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. 4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 121
Session keys: Data encrypted with a one-time session key Or one-time pad (rekeying) for each message in a session At the conclusion of the session, or message-by-message the key is destroyed (ephemeral keys) Permanent keys: Used between entities for the purpose of distributing session keys Used as long-time shared keys for the renegotiation of new session keys (rekeying process) Example: shared symmetric keys between the principals and KDCs Example: public-keys registered in PKCs for possible direct negotiation of shared symmetric keys by the principals themselves Keep in mind: it is a long-time duration secret critical to be managed and keep in security 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 122
2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 123
Different key-distribution protocols Protocols with symmetric cryptography For entity authentication (no key-distribution) Server-less key establishment Server based key establishment (or KDC based) Multiple-server based key establishment Protocols with asymmetric cryptography Entity-authentication based (no key-distribution) Server based (or PKC based) protocols Key-Agreement protocols Diffie-Hellman based Elliptic-Curve D-H (ECDH Scheme) Identity-Based Conference or Group-oriented based Hybrid protocols 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 124
Different key-distribution protocols KDC based protocols ( ): Needham Schroeder and variants Otway-Rees Neuman-Stubblebine Miller-Neuman (kerberos) Yahalom Wide Mouth Frog Janson-Tsudik Bellare-Rogaway Who-Lam Gong Boyd PKC based protocols ( ) Needham-Schroeder with public-key crypto and variants Many others PKI based key-distribution, X509 Authentication services TLS Scheme Beller-Chang-Yacobi TMN AKA 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 125
William Stallings, Network Security Essentials, Chap.2 (summarized vision) William Stallings, W. Cryptography and Network Security: Principles and Practice, 2 nd edition. Pearson - Prentice Hall, 4 th edition, 2006, chap 2, chap 3, chap.5 and chap. 6 Schneier, B. Applied Cryptography, New York: Wiley, 1996 Complementary (for Authentication and Key-Establishment): Colin Boyd and A. Mathuria,, Protocols for Authentication and Key-Establishment, Springer, 2003 Base-protocols (ex, Needham-Schroeder), Distributed Systems bibliography See also http://en.wikipedia.org/wiki/needham Schroeder_protocol 2011 rev, Henrique J. Domingos, DI/FCT/UNL Symmetric Encryption Slide 126