Graduate Course on Computer Security Lecture 2: Cryptography Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita di Udine, Italy December 3, 2001
Outline of cryptography Symmetric ciphers Block ciphers Stream ciphers Data Encryption Standard () What is a secure cipher? Computer Security: 2 Cryptography 2
Confidentiality Implement a virtual trusted channel over an insecure medium E D Computer Security: 2 Cryptography 3
Insecure Channels External observer can Read traffic Inject new traffic Erase traffic sometimes Modify traffic sometimes Computer Security: 2 Cryptography 4
Classical of Cryptography Encryption Encrypted message (ciphertext) Decryption Message (cleartext, plaintext) E key E, D realize a virtual trusted channel, given key D Message (cleartext, plaintext) Computer Security: 2 Cryptography 5
Modern Cryptography Not just about confidentiality! Integrity Digital signatures Hash functions Fair exchange Contract signing Anonymity Electronic cash Electronic voting Computer Security: 2 Cryptography 6
A Brief of Cryptography ~2000 years ago: Substitution ciphers A few centuries later: Permutation ciphers Renaissance: Polyalphabetic ciphers 1844: Mechanization 1976: Public-key cryptography Computer Security: 2 Cryptography 7
Substitution Ciphers Replace each letter with another Key: substitution table How to break it? Brute force? 26! possibilities (= 4x10 26 ) Count the frequencies of letters, pairs, Arabs had tabulated the Koran by 1412 Ciphertext is enough: ciphertext-only attack Example: QVAQBCWZQRLWDVEFW IAMINDECIPHERABLE A V B E C Z D C E W F G G O Caesar s cipher: H L I Q J N K H L F M A N B O S P R Q I R D S U T Y U K A C B E D F X A Y B Z C V X W M X T Y J Z P Computer Security: 2 Cryptography 8
Permutation Ciphers k = 1 2 3 4 5 3 5 4 1 2 Switch letters around by a permutation Example: HELLOWORLD Key: permutation Breakable with ciphertext-only attack LOLHERDLWO Computer Security: 2 Cryptography 9
Renaissance Ciphers Use message and key letters for cipher Key: a word (CRYPTO) Example: WHATANICEDAYTODAY CRYPTOCRYPTOCRYPT ZZZJUCLUDTUNWGCQS + (mod 26) Polyalphabetic cipher: Encryption of letter is context-dependent Seed of modern cryptography Computer Security: 2 Cryptography 10
Mechanization The Enigma 1844: invention of telegraph Beginning of civilian crypto Rotor machines Key: initial position of rotors Culminate in WW II 1975: 1996-2000 AES 1976: Public key cryptography We will examine in some detail Computer Security: 2 Cryptography 11
Symmetric Ciphers Encryption box Encrypted message (ciphertext) Decryption box M E X X D M Message (cleartext) k Secret key D k (E k (m)) = m Message (cleartext) Computer Security: 2 Cryptography 12
Properties of a Good Cipher D k (E k (m)) = m E, D : {0,1} n x {0,1} l {0,1} n For every k, E k is an injection with inverse D k E k (m) is easy to compute, given m and k D k (x) is easy to compute, given x and k Polynomial in max{n,l} - often linear If x = E k (m), it is hard to find m without k Exponential in min{n,l} Computer Security: 2 Cryptography 13
Open Design Kerchoff s Principle (1883) The security of a cryptosystem must not depend on keeping the algorithm secret No security by obscurity Better Lots of smart but innocuous people dissect it Than a single smart malicious Computer Security: 2 Cryptography 14
Attack Models x Random Random m, x E k (m) Ciphertext Only Known Plaintext Chosen E k (m) Chosen D k (x) m, x x, m Chosen Plaintext Known Plaintext Good ciphers resist all attack models Computer Security: 2 Cryptography 15
Successful Decrypt future messages coded with k Recover k Hard Often not needed! Exploit properties of the cipher See Lecture 5 (WEP) Computer Security: 2 Cryptography 16
Sneaky Differential Power Analysis on 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Obtain the key somehow Network sniffers, worms, backup tapes, Blackmail, bribery, torture, Be careful! Detail: Round 2 Round 3 From http://www.cryptography.com/dpa/technical Side-channel cryptanalysis Power consumption off-peak computation Encryption time random noise Radiation physical shielding Better implementation and design Computer Security: 2 Cryptography 17
Encrypting Long messages Most algorithms operate on fixed sizes E.g. 64 bits for Block ciphers Slice m into m 1,, m n Add padding to last block Use E k to produce x 1,, x n Use D k to recover m 1,, m n Stream ciphers Rely on pseudo-random sequence Computer Security: 2 Cryptography 18
Electronic Codebook Mode ECB Any identical block encrypted identically Lots of ciphertext with the same k Dictionary attack m: E k E k E k Attacker records blocks Substitute them back when appropriate Encryption guarantees secrecy, not integrity x: n bits n bits n bits n bits Computer Security: 2 Cryptography 19
Exclusive OR Fundamental operation of many ciphers y 0 0 1 z 0 1 1 y z 0 1 0 Properties y y = 0 y 0 = y y 1 = y 1 0 1 y z z = y Computer Security: 2 Cryptography 20
Cipher Block Chaining CBC Encryption x 1 = E k (m 1 IV) x i = E k (m i x i-1 ) Decryption m 1 = D k (x 1 ) IV Initialization Vector m: IV x: n bits E k n bits E k n bits E k n bits m i = D k (x i ) x i-1 Widely used E.g IPSec Computer Security: 2 Cryptography 21
Output Feedback Mode OFB Encryption x i = m i E k (IV) i m: n bits E k E k E k n bits Decryption m i = x i D k (IV) i Initialization Vector IV x: n bits n bits NB: encryption is never applied to m Computer Security: 2 Cryptography 22
One-Time Pad E k (m) = m k D k (x) = x k Requires m = k Very fast Perfect secrecy Prob[guessing m] = Prob[guessing m x] k should never be reused again! x 1 = m 1 k x x 2 = m 2 k 1 x 2 = m 1 m 2 k very large for long messages How to distribute it? Computer Security: 2 Cryptography 23
Pseudo-Random Bit Generators Deterministic functions RNG : {0,1} n {0,1} Stretch fixed-size seed to an unbounded sequence that looks random Computable approximation of one-time pad Example: RC4 Example: i := 0 i := 0 do forever i := i+1 mod 256 j := j+s[i] mod 256 swap s[i],s[j] t := s[i]+s[j] mod 256 output s[t] Seed: initial value of s Size of state: (2 256 ) 256 Computer Security: 2 Cryptography 24
Stream Ciphers One-time pad using a RNG Use k as seed? Reuse problem! E k (m) = m RNG(k) Typical usage (e.g., with ) E k (m) = k (s), m RNG(s) Chose new s each time strong fast Computer Security: 2 Cryptography 25
- Data Encryption Standard [NIST/IBM/NSA, released 1975] key Message blocks: 64 bits Keys: 56 bits Cleartext block 64 56 64 Ciphertext block Speed Software: 43,000 block/sec ~ 2.7 Mbit/sec Measured on an old 80486 at 66MHz OK for files and web pages Too slow for sound and video Hardware: 16.8 million block/sec ~ 1 Gbit/sec High speed Ethernet: 100 Mbit/sec Modem: 56 Kbit/sec Computer Security: 2 Cryptography 26
Feistel Networks n bits L 0 : R 0 : n bits f 1,, f k : {0,1} n {0,1} n Round 1 f 1 L 1 : R 1 : Arbitrary functions Not necessarily invertible Round 2 f 2 L k-2 : R k-2 : L i = R i-1 R i = L i-1 f i (R i-1 ) Round k-1 Round k f k-1 L k-1 : R k-1 : f k L k : R k : Computer Security: 2 Cryptography 27
Inverting a Feistel Network Theorem For any f 1,, f k : {0,1} n {0,1} n, a Feistel network computes a permutation π : {0,1} n {0,1} n L 0 : R 0 : f 1 L 1 : R 1 : f 2 Inverse: L i-1 = R i f i (L i ) R i-1 = L i Feistel networks convert generic functions into permutations L k-2 : R k-2 : f k-1 L k-1 : R k-1 : f k L k : R k : Computer Security: 2 Cryptography 28
Inside cleartext is a Feistel network with 64 16 rounds π 64 bit cleartext blocks 56 bits key f 1,, f 16 derived from key Initial permutation π (public) Decryption key 56 16-round Feistel Network π -1 64 64 Apply f 16,, f 1 (in reverse order) Same chip 64 ciphertext Computer Security: 2 Cryptography 29
The Functions f i x k i 48 bits f i (x) = F(x, k i ) k i derived from k Public key schedule 56 bits r 32 48 48 48 F: {0,1} 32 x {0,1} 48 {0,1} 32 is public 32 bits 48 bits ½ block x expanded to x Public replicator r S-boxes S j are public 6 bits 4 bits where the magic happens Rationale was kept secret Final permutation π is public Shuffles input for next round 6 S 1 6 S 2 6 S 3 6 S 4 6 S 5 6 S 6 6 S 7 6 S 8 4 4 4 4 4 4 4 4 32 π 32 F(x, k i ) Computer Security: 2 Cryptography 30
on Exhaustive search Given plaintext m and ciphertext x, with high probability there is a single key k s.t. x = (m,k) Trying 10 6 keys/sec, it takes 2,000 years However 1993, $10 6 homemade supercomputer breaks in 7 hours (CPA) More sophisticated attacks Use properties (e.g. (m,k) = (m,k)) Linear / differential crypto-analysis Computer Security: 2 Cryptography 31
Avoiding Exhaustive Search 3 is not a group Given k1, k2, with high probability there is no k3 s.t. E k1 (E k2 (m)) = E k3 (m) for every m 3 k1,k2 (m) = E k1 (D k2 (E k1 (m))) Key length: 112 bits Very popular encryption decryption Computer Security: 2 Cryptography 32
How about a 2? 2 k1,k2 (m) = E k1 ( E k2 (m))?? Meet-in-the-middle attack! m E X 1 X 2 X 2 56 m 1 m 2 =? For key length n, D X total work is only 2 n + 2 n = 2 n+1 m 2 56 Try all possible keys Effective key length is just 57 bits! Applies to any encryption algorithm Computer Security: 2 Cryptography 33
X encryption X k1,k2,k3 (m) = k1 E k2 (m k3) Key length: 56 + 2*64 = 184 bits However, effective key length is only about 100 bits Computer Security: 2 Cryptography 34
AES a Successor to Advanced Encryption Standard 1996: NIST issues public call for proposal Secure for next 50-100 years Block cipher faster than 3 Variable key lengths (128, 192, 256, bits) Open design 15 algorithms submitted Public (and private) crypto-analysis for 4 years 5 finalists Computer Security: 2 Cryptography 35
Oct. 2000: AES Contest Winner Rijndael, by J. Daemen and V. Rijmen Fast (~18-20 cycles to encrypt a byte) Small (98 Kb) Well understood characteristics Bit operations:, shift, Provides good safety (1.33 safety factor) Computer Security: 2 Cryptography 36
When is a Cipher Secure? m m E k (_) E k (0) x Polynomial adversary cannot tell a real encryption box from a fake one x Computer Security: 2 Cryptography 37
Formal Definition Let E: {0,1} n x {0,1} l {0,1} n A(x m) = 1 iff x = E k (m) A algorithm polynomial in key length l x m = E k (m) E is a secure encryption scheme if polynomial p(_) L s.t. l > L k {0,1} l Pr[A(x m m) = 1] - Pr[A(x 0 m) = 1] < 1/p(l) Computer Security: 2 Cryptography 38
Readings Andrea Sgarro, Codici Segreti, 1989 The comprehensive of Secret Communication from Ancient Times to the Internet David Kahn, The Code-Breakers, 1996 A. Menezes, P. van Oorschot and S. Vanstone, The Handbook of Applied Cryptography, 1996 Computer Security: 2 Cryptography 39
Exercises for Lecture 2 Find a way to measure the redundancy in the ASCII rendering of English (or Italian) text Prove the invertibility of a Feistel network Why is 3 immune from the meet-inthe-middle attack? Can you explain why 3 uses only 2 keys? What is the cost of breaking y iterated encryptions with different keys? Computer Security: 2 Cryptography 40
Next Public-Key Cryptography Computer Security: 2 Cryptography 41