F3 Symmetric Encryption

Transcription

1 F3 Symmetric Encryption

2 Cryptographic Algorithms: Overview During this course two main applications of cryptographic algorithms are of principal interest: Encryption of data: transforms plaintext data into ciphertext in order to conceal its meaning Signing of data: computes a check value or digital signature to a given plainor ciphertext, that can e verified y some or all entities eing ale to access the signed data Some cryptographic algorithms can e used for oth purposes, some are only secure and / or efficient for one of them. Principal categories of cryptographic algorithms: Symmetric cryptography using 1 key for en-/decryption or signing/checking Asymmetric cryptography using 2 different keys for en-/decryption or signing/checking Cryptographic hash functions using 0 keys (the key is not a separate input ut appended to or mixed with the data).

3 Attacking Cryptography (1): Cryptanalysis Cryptanalysis is the process of attempting to discover the plaintext and / or the key Types of cryptanalysis: Ciphertext only: specific patterns of the plaintext may remain in the ciphertext (frequencies of letters, digraphs, etc.) Known ciphertext / plaintext pairs Chosen plaintext or chosen ciphertext Newer developments: differential cryptanalysis, linear cryptanalysis Cryptanalysis of pulic key cryptography: The fact that one key is pulicly exposed may e exploited Pulic key cryptanalysis is more aimed at reaking the cryptosystem itself and is closer to pure mathematical research than to classical cryptanalysis Important directions: Computation of discrete logarithms Factorization of large integers

4 Attacking Cryptography (2): Brute Force Attack The rute force attack tries every possile key until it finds an intelligile plaintext: Every cryptographic algorithm can in theory e attacked y rute force On average, half of all possile keys will have to e tried Average Time Required for Exhaustive Key Search Key Size [it] Numer of keys Time required at 1 encryption / s Time required at 10 6 encryption / s = s = 35.8 minutes 2.15 milliseconds = s = 1142 years hours = s = years years

5 Attacking Cryptography (3): How large is large? Reference Numers Comparing Relative Magnitudes Reference Magnitude Seconds in a year Seconds since creation of solar system Clock cycles per year (50 MHz computer) Binary strings of length 64 Binary strings of length 128 Binary strings of length 256 Numer of 75-digit prime numers Electrons in the universe

6 Important Properties of Encryption Algorithms Consider, a sender is encrypting plaintext messages P 1, P 2,... to ciphertext messages C 1, C 2,... Then the following properties of the encryption algorithm are of special interest: Error propagation characterizes the effects of it-errors during transmission of ciphertext to reconstructed plaintext P 1, P 2,... Depending on the encryption algorithm there may e one or more erroneous its in the reconstructed plaintext per erroneous ciphertext it Synchronization characterizes the effects of lost ciphertext data units to the reconstructed plaintext Some encryption algorithms can not recover from lost ciphertext and need therefore explicit re-synchronization in case of lost messages Other algorithms do automatically re-synchronize after 0 to n (n depending on the algorithm) ciphertext its

7 Classification of Encryption Algorithms: Three Dimensions The type of operations used for transforming plaintext to ciphertext: Sustitution, which maps each element in the plaintext (it, letter, group of its or letters) into another element Transposition, which re-arranges elements in the plaintext The numer of keys used: Symmetric ciphers, which use the same key for en- / decryption Asymmetric ciphers, which use different keys for en- / decryption The way in which the plaintext is processed: Stream ciphers work on it streams and encrypt one it after another: Many stream ciphers are ased on the idea of linear feedack shift registers, and there have een detected vulnerailities of a lot of algorithms of this class, as there exists a profound mathematical theory on this suect. Most stream ciphers do not propagate errors ut are sensile to loss of synchronization. Block ciphers work on locks of width with depending on the specific algorithm.

8 Symmetric Encryption General description: The same key K A,B is used for enciphering and deciphering of messages: Encrypt Decrypt Plaintext Ciphertext Ciphertext Plaintext Notation: If P denotes the plaintext message E(K A,B, P) denotes the ciphertext and it holds D(K A,B, E(K A,B, P)) = P Alternatively we sometimes write {P} KA,B or E KA,B (P) for E(K A,B, P) Examples: DES, 3DES, AES,...

9 Two types of ciphers Sustitution Cipher. In the simplest form: Each letter is replaced y another letter. More realistically: Each lock of letters is replaced y another lock of letters. Transposition Cipher (Permutation). The letters in a lock are permuted. The same permutation is used for every lock.

10 Confusion and Diffusion Concepts defined y Claude Shannon Diffusion Dependency etween output and input. Ideally, flipping one input it should flip each output it with proaility of one half. Knowledge of many cipher texts doesn't give information aout the plaintext. A small change in the plaintext X gives a ig change in the cipher text C.

11 Confusion Complex relationship etween key and cipher text. Knowledge of a many cipher texts doesn't give information aout the keys. A small change in the key K gives a ig change in the cipher text C.

12 Symmetric Block Ciphers - Algorithm Overview Some popular algorithms: Data Encryption Standard (DES) International Data Encryption Algorithm (IDEA) Triple encryption with a lock cipher, e.g. Triple-DES New standard: Advanced Encryption Standard (AES) Open standardization process with international participation Started in 1997 y call for algorithms In Octoer 2000, one algorithm called Rindael has een proposed for AES AES standard announced in Novemer 2001 See also

13 The Feistel Cipher A sort of a first version of DES. Not actually a cipher ut more like a prototype of cipher. Developed y Horst Feistel (IBM) Sudivides a 64-it lock in two 32-it locks. The locks are permuted, added to different keys and put together.

14

15 Feistel's recommendation The size of the lock should e 64 its. The size of the key should e 128 its. The numer of rounds should e 16. The function F should e sufficiently complicated.

16 The Data Encryption Standard (DES) History 1973 the National Bureau of Standards (NBS, now National Institute of Standards and Technology, NIST) issued a request for proposals for a national cipher standard, demanding the algorithm to: provide a high level of security, e completely specified and easy to understand, provide security only y its key and not y its own secrecy, e availale to all users, e adaptale for use in diverse applications, e economically implementale in electronic devices, e efficient to use, e ale to e validated, and e exportale. None of the sumissions to this first call came close to these criteria. In response to a second call, IBM sumitted its algorithm LUCIFER, a symmetric lock cipher, which works on locks of length 128 it using keys of length 128 it and that was the only promising candidate

17 DES History continued The NBS requested the help of the National Security Agency (NSA) in evaluating the algorithm s security: The NSA reduced the lock size to 64 it, the size of the key to 56 it and changed details in the algorithm s sustitution oxes. Many of the NSA s reasoning for these modifications ecame clear in the early 1990 s, ut raised great concern in the late 1970 s. Despite all criticism the algorithm was adopted as Data Encryption Standard in the series of Federal Information Processing Standards in 1977 (FIPS PUB 46) and authorized for use on all unclassified government communications. DES has een widely adopted in the years to follow

18 DES Algorithm Outline 64 it plaintext 56 it key Initial Permutation Permuted Choice 1 Iteration 1 K 1 Permuted Choice 2 Left Circular Shift / 2 Iteration 2 K 2 Permuted Choice 2... Left Circular Shift / 2 Iteration 16 K 16 Permuted Choice 2 Left Circular Shift / 2 32 it Swap Inverse Initial Permutation 64 it ciphertext

19 DES Single Iteration (1) Data to e encrypted Key used for encryption 32 it 32 it 28 it 28 it L i-1 R i-1 C i-1 D i-1 Expansion Permutation Left Shift Left Shift R i-1... K i K i Permutation Contraction (Perm. Choice 2) f(r i-1, K i ) S-Box: Choice Sustitution 32 Permutation + 32 L i R i C i D i

20

21

22

23 DES Single Iteration (2) The right-hand 32 it of the data to e encrypted are expanded to 48 it y the use of an expansion / permutation tale Both the left- and the right-hand 28 it of the key (also called sukeys) are circularly left-shifted and the resulting value is contracted to 48 it y the use of a permutation / contraction tale The aove two values are XORed and fed into a choice and sustitution ox: Internally this operation is realized y 8 so-called s-oxes, each of them mapping a six it value to a four it value according to a ox-specific tale, altogether leading to a 32 it output The design of these s-oxes was strengthened y the NSA, which led to intense discussion in the 1970 s and was understood in the 1990 s after the discovery of differential cryptanalysis The output of the aove step is permuted again and XORed with the left-hand 32 it of data leading to the new right-hand 32 it of data The new left-hand 32 it of data are the right-hand value of the previous iteration

24 DES Decryption (1) Using the areviation f(r, K) the encryption process can e written as: L i = R i-1 R i = L i-1 f(r i-1, K i ) This design idea (splitting the data into two halfs and organize encryption according to the aove equations) is used in many lock ciphers and is the essentila part of a Feistel The DES decryption process is essentially the same as encryption. It uses the ciphertext as input to the encryption algorithm, ut applies the sukeys in reverse order So, the initial values are: L 0 R 0 = InitialPermutation(ciphertext) ciphertext = InverseInitialPermutation(R 16 L 16 ) L 0 R 0 = InitialPermuation(InverseInitialPermutation(R 16 L 16 )) = R 16 L 16 After one step of decryption: L 1 = R 0 = L 16 = R 15 R 1 = L 0 f(r 0, K 16 ) = R 16 f(r 15, K 16 ) = [L 15 f(r 15, K 16 )] f(r 15, K 16 ) = L 15

25 DES Decryption (2) This relationship holds through all the process as: R i-1 = L i L i-1 = R i f(r i-1, K i ) = R i f(l i, K i ) Finally, the output of the last round is: L 16 R 16 = R 0 L 0 After the last round, DES performs a 32-it swap and the inverse initial permutation: InverseInitialPermutation(L 0 R 0 ) = InverseInitialPermutation(InitialPermutation(plaintext)) = plaintext

26 DES Security (1) Key weaknesses: Weak keys: four keys are weak as they generate sukeys with either all 0 s or all 1 s Semiweak keys: there are six pairs of keys, which encrypt plaintext to identical ciphertext as they generate only two different sukeys Possily weak keys: there are 48 keys, which generate only four different sukeys As a whole 64 keys out of 72,057,594,037,927,936 are considered weak Algeraic structure: If DES were closed, then for every K 1, K 2 there would e a K 3 such that: E(K 2, E(K 1,M)) = E(K 3, M), thus doule encryption would e useless DES is not closed, thus a multiple encryption scheme might e used to increase the key length (see also elow)

27 DES Security (2) Differential cryptanalysis: In 1990 E. Biham and A. Shamir pulished this method of analysis It looks specifically for differences in ciphertexts whose plaintexts have particular differences and tries to guess the correct key from this The asic approach needs chosen plaintext together with its ciphertext DES with 16 rounds is immune against this attack, as the attack needs 2 47 chosen plaintexts or (when converted to a known plaintext attack) 2 55 known plaintexts. The designers of DES told in the 1990 s that they knew aout this kind of attacks in the 1970 s and that the s-oxes were designed accordingly Key length: As a 56 it key can e searched in hours when eing ale to perform 10 6 encryptions / s (which is feasile today), DES can no longer e considered as sufficiently secure

28 Extending the Key-Length of DES y Multiple Encryption (1) Doule DES: as DES is not closed, doule encryption results in a cipher that uses 112 it keys: Unfortunately, it can e attacked with an effort of 2 56 As C = E(K 2, E(K 1, P)) we have X := E(K 1, P) = D(K 2, C) If an attacker can get one known plaintext / ciphertext pair then he can construct two tales (meet-in-the-middle-attack): Tale 1 holds the values of X when P is encrypted with all possile values of K Tale 2 holds the values of X when C is decrypted with all possile values of K Sort the two tales and construct keys K T1 K T2 for all cominations of entries that yield to the same value As there are 2 64 possile ciphertext values for any given plaintext that could e produced y Doule-DES, there will e on the average /2 64 = 2 48 false alarms on the first known plaintext / ciphertext pair. Every additional plaintext / ciphertext pair reduces the chance of getting a wrong key y a factor of 1 / 2 64, so with two known locks the chance is 2-16

29 Extending the Key-Length of DES y Multiple Encryption (2) So, the effort required to reak Doule DES is on the magnitude of 2 56, which is only slightly etter than the effort of 2 55 required to reak Single DES with a known plaintext attack and far from the we would expect from cipher with a key length of 112 it! This kind of attack can e circumvented y using a triple encryption scheme, as proposed y W. Tuchman in 1979: C = E(K 3, D(K 2, E(K 1, P))) The use of the decryption function D in the middle allows to use triple encryption devices with peers that only own single encryption devices y setting K 1 = K 2 = K 3 Triple encryption can e used with two (set K 1 = K 3 ) or three different keys There are no known practical attacks against this scheme up to now Drawack: the performance is only 1/3 of that of single encryption, so it might e a etter idea to use a different cipher, which offers a igger keylength right away

30 The Advanced Encryption Standard AES (1) Jan. 1997: the National Institute of Standards and Technology (NIST) of the USA announces the AES development effort. The overall goal is to develop a Federal Information Processing Standard (FIPS) that specifies an encryption algorithm(s) capale of protecting sensitive government information well into the next century. The algorithm(s) is expected to e used y the U.S. Government and, on a voluntary asis, y the private sector. Sep. 1997: formal call for algorithms, open to everyone on earth AES would specify an unclassified, pulicly disclosed encryption algorithm(s), availale royalty-free, worldwide. The algorithm(s) must implement symmetric key cryptography as a lock cipher and (at a minimum) support lock sizes of 128-its and key sizes of 128-, 192-, and 256-its. Aug. 1998: first AES candidate conference NIST announces the selection of 15 candidate algorithms Demand for pulic comments

31 The Advanced Encryption Standard AES (2) Mar. 1999: second AES candidate conference Discussion of results of the analysis conducted y the gloal cryptographic community on the candidate algorithms. April 1999: Using the analyses and comments received, NIST selects five algorithms as finalist candidates: MARS, RC6, Rindael, Serpent, and Twofish Demand for pulic comments on any aspect of the finalists: Cryptanalysis Implementation issues Intellectual property & Overall recommendations May 2000: third AES candidate conference Octoer 2000: Rindael is announced as NIST s proposal for AES 28. Feruary 2001: draft FIPS standard is pulished [AES01a] 29. May 2001: comment period ends 26. Novemer 2001: official announcement of the AES standard

32 The Advanced Encryption Standard AES (3) Key and lock lengths: Key Length: 128, 192, or 256 it Block Length: 128, 192, or 256 it In the following only 128 it is considered The algorithm operates on: state[4, 4]: a yte-array of 4 rows and 4 columns (for 128 it lock size) key[4, 4]: an array of 4 rows and 4 columns (for 128 it key size) Numer of rounds: 10 (for lock and key size of 128 it) Rounds 1-9 make use of four different operations: ByteSu: a non-linear yte sustitution (asically an s-ox) ShiftRow: the rows of the state are cyclically shifted y various offsets MixColumn: the columns of state[] are considered as polynomials over GF(2 8 ) and multiplied modulo x with a fixed polynomial c(x), given y c( x ) = 03 x x x + 02 RoundKey: a round-key is XORed with the state Round 10 does not make use of the MixColumn operation

33 The Advanced Encryption Standard AES (4) Structure of one Round in Rindael (source: Rindael, a presentation y J. Daemen and V. Rimen)

34

35 The Stream Cipher Algorithm RC4 (1) RC4 is a stream cipher that has een invented y Ron Rivest in 1987 It was proprietary until 1994 when someone posted it anonymously to a mailing list RC4 is operated in the output feedack mode (OFB): The encryption algorithm generates a pseudo-random sequence RC4(IV, K), that depends only on the key K and an initialization vector IV The plaintext P i is then XORed with the pseudo-random sequence to otain the ciphertext and vice versa: C 1 = P 1 RC4(IV 1, K) P 1 = C 1 RC4(IV 1, K) The pseudo-random sequence is often also called keystream It is crucial to the security that keystream is never re-used!!! If keystream is re-used (that is IV 1 = IV 2 with the same K), then the XOR of two plaintexts can e otained: C 1 C 2 = P 1 RC4(IV, K) P 2 RC4(IV, K) = P 1 P 2

36 The Stream Cipher Algorithm RC4 (2) RC4 uses a variale length key up to 2048 it Actually, the key serves as the seed for a pseudo-random-it-generator RC4 works with two 256 yte arrays: S[0,255], K[0,255] Step 1: Initialize the arrays for (i = 0; i < 256; i++) S[i] = i; // fill array S[] with 0 to 255 // fill array K[] with the key and IV y repeating them until K[] is filled n = 0; for (i =0; i < 256; i++) { n = (n + S[i] + K[i]) MOD 256; swap(s[i], S[n]); } Step 2: Generate the keystream (after initializing i = 0; n = 0;) i = (i + 1) MOD 256; n = (n + S[i]) MOD 256; swap(s[i], S[n]); t = (S[i] + S[n]) MOD 256; Z = S[t]; // Z contains 8 it of keystream produced y one iteration Step 3: XOR the keystream with the plaintext or ciphertext

37 The Stream Cipher Algorithm RC4 (3) Security of RC4: Security against rute force attacks (trying every possile key): The variale key length of up to 2048 it allows to make them impractical (at least with the resources availale in our universe) However, y reducing the key length RC4 can also e made aritrarily insecure! RSA Data Security, Inc. claims that RC4 is immune to differential and linear cryptanalysis, and no small cycles are known RC4 with 40 it keys had special export status, even when other ciphers were not allowed to e exported from the USA Secure Socket Layer (SSL), which has een designed to secure HTTP transfers uses RC4 with 40 it key length as the default algorithm 40 it key length is not immune against rute-force attacks However, recent results show weaknesses that, depending on the details of the key scheduling method, lead to severe vulnerailities! [FMS01a, Riv01a, SIR01a]

38 Symmetric Block Ciphers - Modes of Encryption 1 General Remarks & Notation: A plaintext p is segmented in locks p 1, p 2,... each of length or, respectively, where denotes the lock size of the encryption algorithm and < The ciphertext c is the comination of c 1, c 2,... where c i denotes the result of the encryption of the i th lock of the plaintext message The entities encrypting and decrypting a message have agreed upon a key K.

39 Symmetric Block Ciphers - Modes of Encryption 2 Electronic Code Book Mode (ECB): Every lock p i of length is encrypted independently: c i = E(K, p i ) A it error in one ciphertext lock c i results in a completely wrongly recovered plaintext lock p i Loss of synchronization does not have any effect if integer multiples of the lock size are lost. If any other numer of its are lost, explicit re-synchronization is needed. Drawack: identical plaintext locks are encrypted to identical ciphertext! ECB Time = 1 Time = 2... Time = n P 1 P 2 P n Encrypt K Encrypt K Encrypt... K Encrypt C 1 C 2 C n

40 Symmetric Block Ciphers - Modes of Encryption 3 Cipher Block Chaining Mode (CBC): Before encrypting a plaintext lock p i it is XORed ( ) with the preceding ciphertext lock c i-1 : c i = E(K, c i-1 p i ) p i = c i-1 D(K, c i ) In order to compute c 1 oth parties agree on an initial value (IV) for c 0 Properties: Error propagation: A distorted ciphertext lock results in two distorted plaintext locks, as p i is computed using c i-1 and c i Synchronisation: If the numer of lost its is a multiple integer of, one additional lock p i+1 is distorted efore synchronization is re-estalished. If any other numer of its are lost explicit re-synchronization is needed. Advantage: identical plaintext locks are encrypted to nonidentical ciphertext.

41 Symmetric Block Ciphers - Modes of Encryption 4 CBC Time = 1 Time = 2... Time = n P 1 P 2 P n IV + + C n-1 + Encrypt K Encrypt K Encrypt... K Encrypt C 1 C 2 C n C 1 C 2 C n Decrypt K Decrypt K Decrypt... K Decrypt IV + + C n-1 + P 1 P 2 P n

42 Symmetric Block Ciphers - Modes of Encryption 5 Ciphertext Feedack Mode (CFB): A lock encryption algorithm working on locks of size can e converted to an algorithm working on locks of size (<): Let: then : S(, x) denote the higher significant its of x P i, C i denote the i th lock of plain- and ciphertext of length IV e an initial value oth parties have agreed upon R C S S R IV 1 n Rn 1 2 mod 2 Cn 1 n S, EK Rn Pn, EK Rn Cn S, EK Rn S, EK Rn Pn, EK Rn Cn Pn // -it left shift and XOR with old ciphertext A current value of is 8 for encryption of one character per step

43 Symmetric Block Ciphers - Modes of Encryption 6 CFB Time = 1 Time = 2... Time = m Shift-Reg. - Shift-Reg. - C m-1 Shift-Reg. - Encrypt K Encrypt K Encrypt... K Encrypt P 1 Select Discard - + C 1 P 2 Select Discard - + C 2 P m Select Discard - + C m Decrypt K Shift-Reg. - Encrypt K Shift-Reg. - Encrypt... C m-1 K Shift-Reg. - Encrypt P 1 Select Discard - + C 1 P 2 Select Discard - + C 2 P m Select Discard - + C m

44 Symmetric Block Ciphers - Modes of Encryption 7 Properties of CFB: Error propagation: As the ciphertext locks are shifted through the register step y step, an erroneous lock c i distorts the recovered plaintext lock p i as well as the following / locks Synchronisation: If the numer of lost its is a multiple integer of then / additional locks are distorted efore synchronization is reestalished. If any other numer of its are lost explicit re-synchronization is needed. Drawack: The encryption function E needs to e computed more often, as one encryption of it has to e performed to conceal it of plaintext Example: Use of DES with encryption of one character at a time: encryption has to e performed 8 times more often

45 Symmetric Block Ciphers - Modes of Encryption 8 Output Feedack Mode (OFB): The lock encryption algorithm is used to generate a pseudo-random sequence R i, that depends only on K and IV: Let: then : S(, x) denote the higher significant its of x P i, C i denote the i th lock of plain- and ciphertext of length IV e an initial value oth parties have agreed upon R S R IV 1 R mod 2 S E R n n 1 2, K n 1 n S, EK Rn Pn, EK Rn Cn S, EK Rn S, EK Rn Pn, EK Rn Cn Pn C S // -it left shift + encrypted old value The plaintext is XORed with the pseudo-random sequence to otain the ciphertext and vice versa

46 Symmetric Block Ciphers - Modes of Encryption 9 OFB Encrypt K Time = 1 Time = 2... Time = m Shift-Reg. - Encrypt K Shift-Reg. - Encrypt S(, E K (R m-1 ))... K Shift-Reg. - Encrypt P 1 Select Discard - + C 1 P 2 Select Discard - + C 2 P m Select Discard - + C m Decrypt K Shift-Reg. - Encrypt K Shift-Reg. - Encrypt S(, E K (R m-1 ))... K Shift-Reg. - Encrypt P 1 Select Discard + - C 1 P 2 Select Discard - + C 2 P m Select Discard + - C m

47 Symmetric Block Ciphers - Modes of Encryption 10 Properties of OFB: Error propagation: Single it errors result only in single it errors no error multiplication Synchronisation: If some its are lost explicit re-synchronization is needed Advantage: The pseudo-random sequence can e pre-computed in order to keep the impact of encryption to the end-to-end delay low Drawacks: Like with CFB the encryption function E needs to e computed more often, as one encryption of it has to e performed to conceal it of plaintext It is possile for an attacker to manipulate specific its of the plaintext