Symmetric Cryptography CS4264 Fall 2016
Correction: TA Office Hour Stefan Nagy (snagy2@vt.edu) Office hour: Thursday Friday 10-11 AM, 106 McBryde Hall 2
Slides credit to Abdou Illia RECAP AND HIGH-LEVEL CONCEPTS 3
Recap: Encryption Encryption: encoding information, only authorized parties can read Plaintext: the intended communication information (original message) Ciphertext: encrypted message (usually not understandable) Cipher: encryption/decryption algorithm Key: a parameter of the (en-)decryption algorithm that determines output Plaintex EncrypEon Algorithm Ciphertex Ciphertex DecrypEon Algorithm Plaintex Symmetric-key scheme (e.g., DES, AES) The keys for encryption and decryption are the same. Communicating parties must have the same key before communication Public key scheme (e.g., RSA) Public key is published for anyone to encrypt a message Only authorized parties have the private key to decrypt the message 4
Symmetric Key Encryption Methods Two categories of methods Stream cipher: operates on individual bits (or bytes); one at a time Block cipher: operates on fixed-length groups of bits called blocks Only a few symmetric methods are used today Methods Year approved Comments Data Encryption Standard - DES 1977 1998: Electronic Frontier Foundation s Deep Crack breaks a DES key in 56 hrs DES-Cipher Block Chaining Triple DES TDES or 3DES 1999 Advanced Encryption Standard AES 2001 among the most used today Other symmetric encryption methods IDEA (International Data Encryption Algorithm), RC5 (Rivest Cipher 5), CAST (Carlisle Adams Stafford Tavares), Blowfish 5
Data Encryption Standard (DES) DES is a block encryption method, i.e. uses block cipher DES uses a 64 bit key; It is actually 56 bits + 8 bits computable from the 56 bits Problem: same input plaintext gives same output ciphertext 64-Bit Plaintext Block 64-Bit DES Symmetric Key (56 bits + 8 redundant bits) DES EncrypEon Process 64-Bit Ciphertext Block 6
Confusion: attacker should not be able to predict what will happen to the ciphertext by changing one char in the plaintext Encrypt each block independently à not secure! Need to chain them together ECB (not secure) Cipher-block chaining 7
DES-Cipher Block Chaining DES-CBC uses ciphertext from previous block as input making decryption by attackers even harder An 64-bit initialization vector is used for first block First 64-Bit Plaintext Block DES Key IniEalizaEon Vector (IV) DES EncrypEon Process Second 64-Bit Plaintext Block DES Key First 64-Bit Ciphertext Block DES EncrypEon Process Second 64-Bit Ciphertext Block 8
Triple DES (3DES) 168-Bit Encryption with Three 56-Bit Keys Sender Receiver 1st Encrypts original plaintext with The 1 st key Decrypts ciphertext with the 3d key 3rd 2nd Decrypts output of first step with the 2 nd key Encrypts output of the first step with the 2 nd key 2nd 3rd Encrypts output of second step with the 3d key; gives the ciphertext to be sent Decrypts output of second step with the 1 st key; gives the original plaintext 1st 9
Triple DES (3DES) using two keys 112-Bit Encryption With Two 56-Bit Keys Sender Receiver 1st Encrypts plaintext with the 1 st key Decrypts ciphertext with the 1 st key 1st 2nd Decrypts output with the 2 nd key Encrypts output with the 2 nd key 2nd 1st Encrypts output with the 1 st key Decrypts output with the 1 st key 1st 10
Your knowledge about Cryptography Based on the way DES and 3DES work, which of the following is true? a) b) c) 3DES requires more processing time than DES Compared 3DES, DES requires more RAM Both a and b Given the increasing use of mobile devices, 3DES will be more practical than DES. a) b) True False 11
Advanced Encryption Standard - AES Developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name "Rijndael Offers key lengths of 128 bit, 192 bit, and 256 bit Efficient in terms of processing power and RAM requirements compared to 3DES Can be used on a wide variety of devices including o Cellular phones o PDAs o Etc. 12
DES, 3DES, and AES DES 3DES AES Key Length (bits) 56 112 or 168 128, 192, 256 Key Strength Weak Strong Strong Processing Requirements Moderate High Modest RAM Requirements Moderate High Modest 13
How does DES/AES work? THE ALGORITHMS BEHIND 14
S-box: table-lookup based substitution P-box: table-lookup based permutation DES Confusion Substitutions Permutations Diffusion Substitutions and Permutations. 15
Confusion: the interceptor should not be able to predict what will happen to the ciphertext by changing one char in the plaintext Diffusion: the cipher should spread the info from the plaintext over the entire ciphertext Cipher-block chaining (CBC) 16
Cipher Block Chaining cipher block: if input block repeated, will produce same cipher text --- not secure! t=1 m(1) = HTTP/1.1 block cipher t=17 m(17) = HTTP/1.1 block cipher c(1) c(17) = k329am02 = k329am02 Cipher block chaining: XOR ith input block, m(i), with previous block of cipher text, c(i-1) - c(0) transmitted to receiver in clear - what happens in HTTP/1.1 scenario from above? c(i-1) m(i) + block cipher c(i) 17
DES in Cipher Block Chaining mode DES: inputs are in blocks of 64 bits XOR In each DES box, there are 16 cycles of operaeons 18
Initialization vector sent along with the cipher-text Cipher block chaining mode <Init vec, C 0, C 1 > is given to the sender Picture from Bishop [Computer Security] 19
Decryption uses the same key and init vec EncrypEon DecrypEon Now we understand Cipher Block Chaining, So how exactly does DES work? Picture from Bishop [Computer Security] 20
16 cycles in DES 21
A Cycle in DES 32 bits 64 bits 32 bits Right half and key to 48 bits L j = R j-1 R j = L j-1 XOR f(r j-1, k j ) 22
How to reduce 64-bit key to 48 bits? How to expand 32-bit right half to 48 bits? Types of Permutations. 23
Expansion permutation lookup table 24
S-boxes (Substitution-boxes) Now Put them together Details of a cycle in DES. 25
Permutation box used in DES (P-box) 26
S-box -- How is substitution done? Table lookup (total 8 S-boxes) 27
28
S-box lookup (substitution) input 48 bits Divide inputs into 8 blocks (6-bit each) B1, B2, B3, B4, B5, B6, B7, B8 Block B i is operated on by S-Box S i Block B i has bits b1,b2,b3,b4,b5,b6 b1,b2,b3,b4,b5,b6 b1 b6: 01 b2 b3 b4 b5: 1001 9 0 1 0 0 1 1 Block7: 3 In S-box S 7, lookup the table at row 1 column 9 Thus, we subsetute B 7 (010011) with 3 (0011) Results are 32 bits (not 48 bits); all values in lookup table under 15 1 29
Complete DES, decryption 1. 64-bit key is reduced to 56 bits (removing for every 8 bits) 2. Initial permutation: a block of 64 data bits is permuted 3. 16 cycles of the following 1 2 3 Key is shifted & permuted according to tables Right half of data substituted & permuted XOR left half with right half 4. Final permutation done for one block 5. Cipher block chaining Encryption Rewrite above into L j = R j-1 R j = L j-1 XOR f(r j-1, k j ) Decryption is the same as encryption result depends only on previous cycle R j-1 = L j L j-1 = R j XOR f(l j, k j ) Use keys in reverse order k 16, k 15, 30
Estimating the feasibility of brute-force attacks 2 56 possible keys Diffie-Hellman parallel attack: 10 6 chips, 1 ms per key-test à done in 1day Would cost $20M in 77, but feasible as hardware gets cheaper 1997 a brute-force attack was proven successful Divide key search space among 3,500 machines and done in 4-mon DES challenge by RSA Lab Experimentally validated 1977 s concern on DES security 31
How to formally analyze the security of DES? Select pairs of plaintext with subtle differences and observe effects on ciphertext [Biham-Shamir 90] differential analysis Chosen-plaintext attack: adversary selects plaintext DES S-box 6-bit input 4-bit output Output should be independent on input and key, however, in DES s: same bit in two plaintext d: different bit ddsdsd dsss 14 times/64 ddds 14 times/64 6-bit Key The analysis allows inferring values of key bits 6-bit Key 32
3-DES or triple-des http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 3-DES is a compound operation of DES encryption and decryption operations 1. TDEA encrypeon operaeon: the transformaeon of a 64-bit block I into a 64-bit block O that is defined as follows: O = E K3 (D K2 (E K1 (I))). 2. TDEA decrypeon operaeon: the transformaeon of a 64-bit block I into a 64-bit block O that is defined as follows: O = D K1 (E K2 (D K3 (I))) For key-bundle (K1, K2, K3) 1. Keying OpEon 1: K1, K2 and K3 are independent keys; 2. Keying OpEon 2: K1 and K2 are independent keys and K3 = K1; 3. Keying OpEon 3: K1 = K2 = K3 same as DES. 33
AES: Advanced Encryption Standard New (Nov. 2001) symmetric-key NIST standard replacing DES processes data in 128 bit blocks 128, 192, or 256 bit keys Involves computation on Galois field Algebraic operations beyond scrambling bits Brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES Estimated by NIST in 2001 block ciphers: DES, 3DES, Blowfish, AES 34
An AES Round 35
side channel attacks are possible when an attacker has an additional channel of information about a cryptosystem. e.g., information gained from the physical implementation of a cryptosystem measuring the time it takes to encrypt a message e.g., from power consumption e.g., electromagneec emissions of monitors or the sound produced by keyboards. Image from Siemens Lab Reflection in the eye http://www.scientificamerican.com/ article.cfm?id=hackers-can-steal-from-reflections 36
Q: What is the key disadvantage of Symmetric Key Encryption? 37
Diffie-Hellman public-key key exchange protocol Two parties to compute a common, shared key Based on the hardness of discrete logarithm problem Given integers n and g and prime number p, compute k such that o n = g k mod p Solutions known for small p Solutions computationally infeasible as p grows large Diffie s speech on PKC [recommend to start from 25.5-minute] hips://www.youtube.com/watch?v=1bjuuuxcaay Invented by Whieield Diffie and MarEn Hellman in 1976 38
Example Scenario Alice wants to exchange key to Bob Assume others can eavesdrop their communication channel 39
Diffie-Hellman key exchange Algorithm Constants: prime p, integer g 0, 1, p 1 Clarify public key and private key : Known to all participants - Private: cannot show it to others Goal: Alice and Bob agree on - a shared Public: can key show K it to shared w/o other attacker people knowing Alice chooses private key s Alice, computes her public key K Alice = g salice mod p Bob chooses private key s Bob, computes his public key K Bob = g sbob mod p Now we can exchange public keys K Alice and K Bob To communicate with Bob, Alice computes K shared = K Bob salice mod p To communicate with Alice, Bob computes K shared = K Alice sbob mod p It can be shown these keys are equal Use shared key to communicate with symmetric-key encryption (e.g., AES) 40
Example Assume p = 53 and g = 17 Alice chooses k Alice = 5 - Then K Alice = 17 5 mod 53 = 40 Bob chooses k Bob = 7 - Then K Bob = 17 7 mod 53 = 6 Shared key: - K Bob kalice mod p = 6 5 mod 53 = 38 - K Alice kbob mod p = 40 7 mod 53 = 38 Read the textbook. DH key exchange and its man-in-the-middle vulnerability. Think about how to fix it. 41