Network Security: Secret Key Cryptography

Size: px

Start display at page:

Download "Network Security: Secret Key Cryptography"

Jacob Randall
8 years ago
Views:

1 1 Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000 c , Henning Schulzrinne Last modified September 28, 2000 Slide 1 Secret Key Cryptography fixed-size block, fixed-size key block DES, IDEA message into blocks? Slide 2

edu Columbia University, Fall 2000 c 1999-2000, Henning Schulzrinne Last modified

2 2 Generic Block Encryption convert block into another, one-to-one long enough to avoid known-plaintext attack 64 bit typical (nice for RISC!) ½ ½¼ ½ (peta) naive: ¾ input values, 64 bits each ¾ ¼ bits output should look random plain, ciphertext: no correlation (half the same, half different) bit spreading substitution: ¾ values mapped ¾ bits permutation: change bit position of each bit ÐÓ ¾ bits to specify round: combination of substitution of chunks and permutation do often enough so that a bit can affect every output bit but no more Slide 3 Block Encryption 64 bit input 8bits 8bits 8bits 8bits 8bits 8bits 8bits 8bits S1 S2 S3 S4 S5 S6 S7 S8 key based substitution functions 8bits 8bits 8bits 8bits 8bits 8bits 8bits 8bits 64 bit intermediate permute the bits, possibly based on the key loop for n rounds 64 bit output Slide 4

bits permutation: change bit position of each bit ÐÓ ¾ bits to specify round: combination of substitution of chunks and permutation do often enough so that a bit can affect every output bit but no

3 3 Data Encryption Standard (DES) published in 1977 by National Bureau of Standards developed at IBM ( Lucifer ) 56-bit key, with parity bits 64-bit blocks easy in hardware, slow in software 50 MIPS: 300 kb/s 10.7 Mb/s on a 90 MHz Pentium in 32-bit protected mode grow 1 bit every 2 years Slide 5 Breaking DES brute force: check all keys 500,000 MIPS years easy if you have known plaintext have to know something about plaintext (ASCII, GIF,...) commercial DES chips not helpful: key loading time decryption time easy to do with FPGA, without arousing suspicion easily defeated with repeated encryption Slide 6

7 Mb/s on a 90 MHz Pentium in 32-bit protected mode grow 1 bit every 2 years Slide 5 Breaking DES brute force: check all keys 500,000 MIPS years easy if

4 4 DES Overview initial permutation 56-bit key bit per-round keys (different subset) 16 rounds: 64 bit input + 48-bit key 64-bit output final permutation (inverse of initial) decryption: run backwards reverse key order Slide 7 Permutation just slow down software th byte µth bits even-numbered bits into byte 1-4 odd-numbered bits into byte 5-8 no security value: if we can decrypt innards, we could decrypt DES Slide 8

reverse key order Slide 7 Permutation just slow down software th byte µth bits even-numbered bits into

5 5 DES: Generating Per-Round Keys 56-bit key bit keys Ã ½ Ã ½ : bits8,16,..., 64 areparity permutation split into 28-bit pieces ¼ ¼ : again, no security value rounds 1, 2, 9, 16: single-bit rotate left otherwise: two-bit rotate left permutation for left/right half of Ã discard a few bits 48-bit key in each round Slide 9 XOR Arithmetic Ü Ü ¼ Ü ¼ Ü Ü ½ Ü Slide 10

1, 2, 9, 16: single-bit rotate left otherwise: two-bit rotate left permutation for

6 6 DES Round mangler function can be non-reversible Ä Ò ½ Ê Ò Ê Ò ½ Ñ Ê Ò Ã Ò µ Ä Ò decryption Ê Ò Ä Ò ½ Ä Ò Ñ Ê Ò Ã Ò µ Ê Ò ½ because ( Ä Ò Ê Ò ½ ): Ê Ò ½ Ê Ò ½ Ä Ò Ñ µ Ä Ò Ä Ò Ê Ò ½ Slide 11 DES Mangler Function Ê ¾µ Ã µ Ä Ò Ê Ò ½ expand from 32 to 48 bits: 4-bit chunks, borrow bits from neighbors 6-bit chunks: expanded Ê Ã 8 different S-boxes for each 6 bits of data Sbox: 6 bit (64 entries) into 4 bit (16) table: 4 each four separate 4x4 S-boxes, selected by outer 2 bits of 6-bit chunk afterwards, random permutation: P-box Slide 12

chunks, borrow bits from neighbors 6-bit chunks: expanded Ê Ã 8 different S-boxes for each 6 bits of data Sbox: 6 bit (64 entries)

7 7 DES: Weak Keys 16 keys to avoid: ¼ ¼ 0...0, 1...1, , sequential key search avoid low-numbered keys 4 weak keys = ¼ ¼ ¼ ¼ or ½ ½ own inverses: Ñµ Ñµ semi-weak keys: ½ Ñµ ¾ Ñµ Slide 13 IDEA International Data Encryption Algorithm ETH Zurich, 1991 similar to DES: 64 bit blocks but 128-bit keys Slide 14

own inverses: Ñµ Ñµ semi-weak keys: ½ Ñµ ¾ Ñµ Slide 13 IDEA International Data

8 8 Primitive Operations 2 16-bit 1 16-bit: ÑÓ ¾ ½ Å ÑÓ ¾ ½ ½: reversible inverse Ý of Ü, Ü ¾ ½ ¾ ½ Å Ü Å Ý or Ü Å Ý ½ example: Ü ¾ Ý ¾ Euclid s algorithm reason: ¾ ½ ½is prime treat 0 as encoding for ¾ ½ Slide 15 IDEA Key Expansion 128-bit key bit keys Ã ½ Ã ¾ encryption, decryption: different keys key generation: first chop off 16 bit chunks from 128 bit key eight 16-bit keys start at bit 25, chop again eight 16-bit keys shift 25 bits and repeat Slide 16

128-bit key 52 16-bit keys Ã ½ Ã ¾ encryption, decryption: different keys key generation: first chop off 16 bit

9 9 IDEA: One Round 17 rounds, even and odd 64 bit input 4 16-bit inputs: operations output ¼ ¼ ¼ ¼ odd rounds use Ã Ã Ã Ã Ã even rounds use ¾Ã Ã Ã Slide 17 IDEA: Odd Round ¼ Å Ã ¼ Å Ã ¼ Ã ¼ Ã reverse with inverses of Ã : ¼ Å Ã ¼ Å Ã Å Ã ¼ Slide 18

Ã Ã even rounds use ¾Ã Ã Ã Slide 17 IDEA: Odd Round ¼ Å Ã ¼ Å

10 10 IDEA: Even Round mangler: ÓÙØ ÓÙØ Ò Ò Ã Ã µ 1. Ò Ò 2. ÓÙØ Ã Å Ò Ò µ Å Ã ÓÙØ Ã Å Ò ÓÙØ 3. ¼ ÓÙØ ¼ ÓÙØ ¼ ÓÙØ ¼ ÓÙØ Slide 19 IDEA Even Round: Inverse ¼ ÓÙØ Feed ¼ to input: ¼ ÓÙØ ÓÙØ µ ÓÙØ round is its own inverse! same keys Slide 20

11 11 Encrypting a Large Message Electronic Code Book (ECB) Cipher Block Chaining (CBC) -bit Cipher Feedback Mode (CFB) -bit Output Feedback Mode (OFB) Slide 21 Electronic Code Book (ECB) break into 64-bit blocks encrypt each block independently some plaintext same ciphertext easy to change message by copying blocks bit errors do not propagate rarely used Slide 22

(ECB) break into 64-bit blocks encrypt each block independently some plaintext same

12 12 Cipher Block Chaining (CBC) simple fix: blocks with 64-bit random number must keep random number secret repeats in plaintext ciphertext can still remove selected blocks Slide 23 Cipher Block Chaining (CBC) random number Ö ½ : previous block of ciphertext random (but public) initialization vector (IV): avoid equal initial text Trudy can t detect changes in plaintext can t feed chosen plaintext to encryption but: can twiddle some bits (while modifying others): modify Ò to change desired Ñ Ò ½ (and Ñ Ò ) combine with MICs Slide 24

random (but public) initialization vector (IV): avoid equal initial text Trudy can t detect changes in plaintext can t feed chosen

13 13 Output Feedback Mode (OFB) 64-bit OFB: encrypt IV: ¼ ½ encrypt ¾ Ñ, transmit with IV ciphertext damage limited plaintext damage can be transmitted byte-by-byte but: known plaintext modify plaintext into anything extra/missing characters garble whole rest variation: -bit OFB Slide 25 Cipher Feedback Mode (CFB) similar to OFB: generate bits, with plaintext use bits of ciphertext instead of IV-generated can t generate ahead of time 8-bit will resynchronize after byte loss/insertion requires encryption for each bits Slide 26

variation: -bit OFB Slide 25 Cipher Feedback Mode (CFB) similar to OFB: generate bits, with plaintext use bits of ciphertext instead

14 14 Generating MICs only send last block of CBC CBC residue any modification in plaintext modifies CBC residue replicating last CBC block doesn t work P+I: use separate (but maybe related) secret keys for encryption and MIC two encryption passes CBC(message hash) Slide 27 Multiple Encryption DES applicable to any encryption, important for DES encrypt-decrypt-encrypt (EDE): just reversible functions two keys Ã ½, Ã ¾ decryption just reverse: standard CBC Ã ½ Ã ¾ Ã ½ Ñ Ã ½ Ã ¾ Ã ½ Ñ Slide 28

CBC(message hash) Slide 27 Multiple Encryption DES applicable to any encryption, important for DES encrypt-decrypt-encrypt

15 15 Triple DES: Why 3? security efficiency Ã ½ Ã ¾ : twice the work for encryption, cryptanalyst Ã ½ µ plaintext Ñ Ö Ã ¾µ (ciphertext) not quite equivalent to 112 bit key: assume given Ñ ½ ½ µ Ñ ¾ ¾ µ Ñ µ Table A: ¾ (½¼ TB) entries: Ö Ã Ñ ½ Ã,sortbyÖ Table B: ¾ entries: Ö ½ decrypted with Ã, sorted find matching Ö Ã Ã if multiple Ã Ã pairs, test against Ñ ¾ ¾,etc. ¾ values, ¾ entries 1/256 chance to appear in table ¾ matches Slide 29 Triple DES: Why 3? Table A: Ö Ñ ½ Ãµ (64 bits) Ã (56 bits) abcd00 ab abcd abcd ab8348a abcd08 185ab c... Table B: Slide 30

Ñ ½ ½ µ Ñ ¾ ¾ µ Ñ µ Table A: ¾ (½¼ TB) entries: Ö Ã Ñ ½ Ã,sortbyÖ Table B: ¾ entries: Ö ½ decrypted with Ã, sorted find matching Ö Ã Ã if multiple Ã Ã pairs,

16 16 Ö ½ Ãµ (64 bits) abcd abcd abcd abcd09... Ã (56 bits) 38acd043858ac ab8a8d8a0 058a0fa858abcd fd884a computation: ¾ ¾ ¾ Slide 31 Triple DES EDE: can run as single DES with Ã ½ Ã ¾ can be used with any chaining method CBC on the outside no change in properties CBC on the inside avoid plaintext manipulation but want self-synchronizing: wrong bit Ü in block Ò ½ Ò ½ garbled, Ò Ü changed, others unaffected CBC inside: parallelization Slide 32

as single DES with Ã ½ Ã ¾ can be used with any chaining method CBC on the outside no change in properties CBC on the inside

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015 CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret