Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)



Similar documents
Network Security. Chapter 2 Basics 2.1 Symmetric Cryptography. Cryptographic algorithms: outline. Basic Terms: Block cipher and Stream cipher

F3 Symmetric Encryption

How To Encrypt With A 64 Bit Block Cipher

1 Data Encryption Algorithm

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

Cryptography and Network Security

Lecture 4 Data Encryption Standard (DES)

The Advanced Encryption Standard (AES)

CS 758: Cryptography / Network Security

The Advanced Encryption Standard: Four Years On

CSCE 465 Computer & Network Security

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

EXAM questions for the course TTM Information Security May Part 1

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security Chapter 3

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

The Misuse of RC4 in Microsoft Word and Excel

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2003): 15 Wireless LAN Security 1. Dr.-Ing G.

Secret File Sharing Techniques using AES algorithm. C. Navya Latha Garima Agarwal Anila Kumar GVN

The Advanced Encryption Standard (AES)

Network Security - ISA 656 Introduction to Cryptography

Lecture 9 - Network Security TDTS (ht1)

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Cryptography and Network Security Block Cipher

IJESRT. [Padama, 2(5): May, 2013] ISSN:

Introduction. Where Is The Threat? Encryption Methods for Protecting Data. BOSaNOVA, Inc. Phone: Web:

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1


Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

AES Cipher Modes with EFM32

Password-based encryption in ZIP files

Network Security. Omer Rana

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Design and Verification of Area-Optimized AES Based on FPGA Using Verilog HDL

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Table of Contents. Bibliografische Informationen digitalisiert durch

Implementation of Full -Parallelism AES Encryption and Decryption

AN RC4 BASED LIGHT WEIGHT SECURE PROTOCOL FOR SENSOR NETWORKS

Properties of Secure Network Communication

7! Cryptographic Techniques! A Brief Introduction

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Overview of Symmetric Encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

How To Understand And Understand The History Of Cryptography

AES1. Ultra-Compact Advanced Encryption Standard Core. General Description. Base Core Features. Symbol. Applications

Lecture 9: Application of Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography

CRYPTOGRAPHY IN NETWORK SECURITY

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Chapter 8. Network Security

Network Security Technology Network Management

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

The Encryption Technology of Automatic Teller Machine Networks

Improving Performance of Secure Data Transmission in Communication Networks Using Physical Implementation of AES

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Survey on Enhancing Cloud Data Security using EAP with Rijndael Encryption Algorithm

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

The implementation and performance/cost/power analysis of the network security accelerator on SoC applications

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

SECURITY IN NETWORKS

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

MAC. SKE in Practice. Lecture 5

Multi-Layered Cryptographic Processor for Network Security

CIS433/533 - Computer and Network Security Cryptography

Design and Implementation of Asymmetric Cryptography Using AES Algorithm

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

IronKey Data Encryption Methods

Talk announcement please consider attending!

Evaluation of the RC4 Algorithm for Data Encryption

Blaze Vault Online Backup. Whitepaper Data Security

Keywords Web Service, security, DES, cryptography.

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay

Security for Computer Networks

Symmetric Key cryptosystem

Wireless Security: Token, WEP, Cellular

Combining Mifare Card and agsxmpp to Construct a Secure Instant Messaging Software

Message Authentication

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

NETWORK ADMINISTRATION AND SECURITY

6 Data Encryption Standard (DES)

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

SeChat: An AES Encrypted Chat

A PPENDIX G S IMPLIFIED DES

Rijndael Encryption implementation on different platforms, with emphasis on performance

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

AStudyofEncryptionAlgorithmsAESDESandRSAforSecurity

Chapter 10. Network Security

Transcription:

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES) Advanced ion Standard (AES) The Stream Cipher RC4 Symmetric ion General description: The same key A,B is used for enciphering and deciphering of messages: Notation If P denotes the plaintext message, E( A,B, P) denotes the cipher text and it holds D( A,B, E( A,B, P)) = P Alternatively we sometimes write {P} A,B or E A,B (P) for E( A,B, P) Symmetric encryption E A,B is a bijective function D A,B is the inverse function of E A,B : D A,B = (E A,B ) -1 Examples: DES, 3DES, AES, RC4 Decrypt Plaintext Ciphertext Ciphertext Plaintext Network Security, WS 2008/09 2 Modes of ion Symmetric Block Ciphers - Modes of ion ECB (1) Block cipher modes A plaintext p is segmented in blocks p 1, p 2, each of length b or j, respectively, where b denotes the block size of the encryption algorithm and j < b The ciphertext c is the combination of c 1, c 2, where c i denotes the result of the encryption of the i th block of the plaintext message The entities encrypting and decrypting a message have agreed upon a key. E.g. Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Stream cipher modes A pseudorandom stream of bytes, called key stream is generated from the symmetric key The key stream is XORed with the plain text to generate the cipher text. E.g. Output Feedback Mode (OFB) Counter Mode (CTR) Electronic Code Book Mode (ECB): Every block p i of length b is encrypted independently: c i = E(, p i ) A bit error in one ciphertext block c i results in a completely wrongly recovered plaintext block p i (subsequent blocks are not affected) Loss of synchronization does not have any effect if integer multiples of the block size b are lost. If any other number of bits are lost, explicit re-synchronization is needed. Drawback: identical plaintext blocks are encrypted to identical ciphertext! ECB Time = 1 Time = 2 Time = n P n C n Network Security, WS 2008/09 3 Network Security, WS 2008/09 4

Symmetric Block Ciphers - Modes of ion ECB (2) Symmetric Block Ciphers - Modes of ion CBC (1) Original ed using ECB mode Source: http://www.wikipedia.org/ ed using other modes Cipher Block Chaining Mode (CBC): Before encrypting a plaintext block p i, it is XORed ( ) with the preceding ciphertext block c i-1 : c i = E(, c i-1 p i ) p i = c i-1 D(, c i ) Both parties agree on an initial value for c i called Initialization Vector (IV) c 0 = IV Properties: Advantage: identical plaintext blocks are encrypted to non-identical ciphertext. Error propagation: A distorted ciphertext block results in two distorted plaintext blocks, as p i is computed using c i-1 and c i Synchronisation: If the number of lost bits is a multiple integer of b, one additional block p i+1 is misreprensted before synchronization is re-established. If any other number of bits are lost explicit re-synchronization is needed. Applicable for ion Integrity check: use last block of CBC as Message Authentication Code (MAC) Network Security, WS 2008/09 5 Network Security, WS 2008/09 6 Symmetric Block Ciphers - Modes of ion CBC (2) CBC Error Propagation CBC Time = 1 Time = 2 Time = n A distorted ciphertext block results in two distorted plaintext blocks, as p i is computed using c i-1 and c i P n IV + + C n-1 + C n C n Decrypt Decrypt Decrypt Decrypt IV + + C n-1 + P n Source: http://www.wikipedia.org/ Network Security, WS 2008/09 7 Network Security, WS 2008/09 8

Symmetric Block Ciphers - Modes of ion OFB (1) Symmetric Block Ciphers - Modes of ion OFB (2) Output Feedback Mode (OFB): The block encryption algorithm is used to generate a key stream that depends only on and IV 0 = IV i = E(, i-1 ) C i = P i i OFB Time = 1 Time = 2 Time = m IV n-1 1 2 n The plaintext is XORed with the pseudo-random sequence to obtain the ciphertext and vice versa + + P n + C n Decrypt IV n-1 1 2 n + + C n + P n Network Security, WS 2008/09 9 Network Security, WS 2008/09 10 Symmetric Block Ciphers - Modes of ion OFB (3) Symmetric Block Ciphers Modes of ion - CTR (1) Properties of OFB: Error propagation: Single bit errors result only in single bit errors no error multiplication Synchronisation: If some bits are lost explicit re-synchronization is needed Advantage: The pseudo-random sequence can be pre-computed in order to keep the impact of encryption to the end-to-end delay low Drawbacks: It is possible for an attacker to manipulate specific bits of the plaintext However, this is not a problem, since an additional cryptographic mean is required for message integrity anyway Counter Mode (CTR) The block encryption algorithm is used to generate a key stream that depends on and a counter function ctr i. The counter function can be simply an increment modulo 2 w, where w is a convenient register width, e.g. ctr i = Nonce i The counter function does not provide any security other than the uniqueness of the input of to the block cipher function E The plaintext is XORed with the pseudo-random sequence to obtain the ciphertext and vice versa Putting everything together: i = E(, Nonce i) C i = P i i Network Security, WS 2008/09 11 Network Security, WS 2008/09 12

Symmetric Block Ciphers Modes of ion - CTR (2) Symmetric Block Ciphers Modes of ion - CTR (3) CTR Properties of CTR: Error propagation: c59bc35 0000 c59bc35 0001 c59bc35 0002 Single bit errors result only in single bit errors no error multiplication Synchronisation: If some bits are lost explicit re-synchronization is needed Decrypt 0 P 0 + c59bc35 0000 C 0 + 1 c59bc35 0001 2 + c59bc35 0002 Advantage: The key stream can be pre-computed in order to keep the impact of encryption to the end-to-end delay low The computation of the key stream can be even parallelized Drawbacks: It is possible for an attacker to manipulate specific bits of the plaintext However, this is not a problem, since an additional cryptographic mean is required for message integrity anyway 0 1 2 C 0 + P 0 + + Network Security, WS 2008/09 13 Network Security, WS 2008/09 14 Symmetric Block Ciphers - Algorithm Overview The Data ion Standard (DES) History Some popular algorithms: Data ion Standard (DES) Triple encryption with DES: Triple-DES Advanced ion Standard (AES) Stream Cipher Algorithm RC4 1973 the National Bureau of Standards (NBS, now National Institute of Standards and Technology, NIST) issued a request for proposals for a national cipher standard, demanding the algorithm to: provide a high level of security, be completely specified and easy to understand, provide security only by its key and not by its own secrecy, be available to all users, be adaptable for use in diverse applications, be economically implementable in electronic devices, be efficient to use, be able to be validated, and be exportable. None of the submissions to this first call came close to these criteria. In response to a second call, IBM submitted its algorithm LUCIFER, a symmetric block cipher, which works on blocks of length 128 bit using keys of length 128 bit and that was the only promising candidate Network Security, WS 2008/09 15 Network Security, WS 2008/09 16

DES History continued The NBS requested the help of the National Security Agency (NSA) in evaluating the algorithm s security: The NSA reduced the block size to 64 bit, the size of the key to 56 bit and changed details in the algorithm s substitution boxes. Many of the NSA s reasoning for these modifications became clear in the early 1990 s, but raised great concern in the late 1970 s. Despite all criticism the algorithm was adopted as Data ion Standard in the series of Federal Information Processing Standards in 1977 (FIPS PUB 46) and authorized for use on all unclassified government communications. DES has been widely adopted in the years to follow DES Algorithm Outline 64 bit plaintext 56 bit key Initial Permutation Iteration 1 Iteration 2 Iteration 16 32 bit Swap 1 2 16 Permuted Choice 2 Permuted Choice 2 Permuted Choice 2 Permuted Choice 1 Left Circular Shift / 2 Left Circular Shift / 2 Left Circular Shift / 2 Inverse Initial Permutation 64 bit ciphertext Network Security, WS 2008/09 17 Network Security, WS 2008/09 18 DES Single Iteration DES Security R i-1 f(r i-1, i ) i Data to be encrypted ey used for encryption 32 bit 32 bit 28 bit 28 bit L i-1 R i-1 Expansion Permutation 48 48 + i 48 S-Box: Choice Substitution 32 Permutation 32 + C i-1 D i-1 Left Shift Left Shift Permutation Contraction (Perm. Choice 2) Main weakness is the key length: As a 56 bit key can be searched in 10.01 hours when being able to perform 10 6 encryptions / μs (which is feasible today), DES can no longer be considered as sufficiently secure Differential cryptanalysis: In 1990 E. Biham and A. Shamir published a cryptoanalysis method for DES It looks specifically for differences in ciphertexts whose plaintexts have particular differences and tries to guess the correct key The basic approach needs chosen plaintext together with its ciphertext DES with 16 rounds is immune against this attack, as the attack needs 2 47 chosen plaintexts or (when converted to a known plaintext attack) 2 55 known plaintexts. The designers of DES told in the 1990 s that they knew about this kind of attacks in the 1970 s and that the s-boxes were designed accordingly L i R i C i D i Network Security, WS 2008/09 19 Network Security, WS 2008/09 20

Extending the ey-length of DES by Multiple ion The Advanced ion Standard AES (1) Triple encryption scheme, as proposed by W. Tuchman in 1979: C = E( 3, D( 2, E( 1, P))) The use of the decryption function D in the middle allows to use triple encryption devices with peers that only own single encryption devices by setting 1 = 2 = 3 (backwards compatibility with DES) Triple encryption can be used with two (set 1 = 3 ) or three different keys There are no known practical attacks against this scheme up to now Drawback: the performance is only 1/3 of that of single encryption, so it should be a better idea to use a different cipher, which offers a bigger keylength right away Jan. 1997: the National Institute of Standards and Technology (NIST) of the USA announces the AES development effort. The overall goal is to develop a Federal Information Processing Standard (FIPS) that specifies an encryption algorithm(s) capable of protecting sensitive government information well into the next century. The algorithm(s) is expected to be used by the U.S. Government and, on a voluntary basis, by the private sector. Sep. 1997: formal call for algorithms, open to everyone on earth AES would specify an unclassified, publicly disclosed encryption algorithm(s), available royalty-free, worldwide. The algorithm(s) must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128-, 192-, and 256-bits. Aug. 1998: first AES candidate conference NIST announces the selection of 15 candidate algorithms Demand for public comments Network Security, WS 2008/09 21 Network Security, WS 2008/09 22 The Advanced ion Standard AES (2) The Advanced ion Standard AES (3) Mar. 1999: second AES candidate conference Discussion of results of the analysis conducted by the global cryptographic community on the candidate algorithms. April 1999: Using the analyses and comments received, NIST selects five algorithms as finalist candidates: MARS, RC6, Rijndael, Serpent, and Twofish Demand for public comments on any aspect of the finalists: Cryptanalysis Implementation issues Intellectual property & Overall recommendations May 2000: third AES candidate conference October 2000: Rijndael is announced as NIST s proposal for AES 28. February 2001: draft FIPS standard is published [AES01a] 29. May 2001: comment period ends 26. November 2001: official announcement of the AES standard ey and block lengths: ey Length: 128, 192, or 256 bit Block Length: 128, 192, or 256 bit In the following only 128 bit is considered Number of rounds: 10 (for block and key size of 128 bit) Rounds 1-9 make use of four different operations: ByteSub: a non-linear byte substitution (basically an s-box) ShiftRow: the rows of the state are cyclically shifted by various offsets MixColumn: an operation based on polynomial algebra Roundey: a round-key is XORed with the state Round 10 does not make use of the MixColumn operation Network Security, WS 2008/09 23 Network Security, WS 2008/09 24

The Advanced ion Standard AES (4) Structure of one Round in Rijndael Properties of AES No successful attacks known so far. Roughly 3 times the speed of DES (200 MBit/s vs. 80 MBit/s) Can be used in CBC of CTR modes in communication. Elegant algebraic structure: uses properties of GF(2 8 ). Highly parallel architecture. (source: Rijndael, a presentation by J. Daemen and V. Rijmen) Network Security, WS 2008/09 25 Network Security, WS 2008/09 26 The Stream Cipher Algorithm RC4 RC4 ion RC4 is a stream cipher that has been invented by Ron Rivest in 1987 It was proprietary until 1994 when someone posted it anonymously to a mailing list RC4 runs in OFB mode It uses a pseudo-random number generator (PRNG) for generating a key stream of arbitrary length An initial state S 0 of a pseudo-random-bit generator is set using the key and an initialization vector IV. At each iteration a pseudo-random key k j and a new state s j+1 is generated. The k j are concatenated together in order to build the key stream The plaintext P is XORed with the key stream to obtain the cipher text and vice versa: C= P RC4(IV,) P = C RC4(IV,) IV, P RC4 Pseudorandom-bit-generator ey stream RC4 ion Block Diagram C Network Security, WS 2008/09 27 Network Security, WS 2008/09 28

Security of RC4 (In)security of RC4 (1) RC4 uses a variable length key up to 2048 bit The key serves as the seed for a pseudo-random-bit-generator The variable key length of up to 2048 bit allows to make brute force attacks impractical (at least with the resources available in our universe) RSA Data Security, Inc. claims that RC4 is immune to differential and linear cryptanalysis Moreover, no small cycles in the generated pseudo-numbers are known: Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10 100. (http://www.rsasecurity.com) The IV must be different for each message P i Otherwise a simple known plaintext attack is possible: Assume an attacker can guess a plain text Note: It can happen quite often that the plain text can be guessed although it is encrypted. e.g. DNS requests, ARP requests. IP headers can be also easily guessed. Let the same IV being used for encrypting occur again when a later message needs to be encrypted: IV 1 = IV 2 Then = RC4(IV 1, ) RC4(IV 2, ) = RC4(IV 1, ) RC4(IV 2, ) = RC4(IV 1, ) RC4(IV 1, ) = Then = Network Security, WS 2008/09 29 Network Security, WS 2008/09 30 (In)security of RC4 (2) ey length RC4 with a 40 bit key was a default algorithm for the Secure Socket Layer (SSL) protocol, which has been designed to secure HTTP transfers. 40-bit key length is not immune against brute-force attacks Currently, the use of RC4 with 40-bits keys is deprecated (In)security of RC4 (2) Fluhrer-Mantin-Shamir Attack [FMS01a] : Over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random, leaking information about the key. If the long-term key and nonce are simply concatenated to generate the RC4 key, this long-term key can be discovered by analysing large number of messages encrypted with this key. The reaction of Ron Rivest to this attack was that applications using RC4 can defend against it by discarding the initial portion of the keystream (say the first 1024 bytes) before using it (RC4drop[n]). lein s attack: There are correlations between the internal state of RC4 and the bytes in the key stream. As a result, the key can be recovered from a sufficiently large number of observed cipher text messages. Used to break WEP encryption Network Security, WS 2008/09 31 Network Security, WS 2008/09 32

Additional References [AES01a] National Institute of Standards and Technology (NIST). Specification for the Advanced ion Standard (AES). Federal Information Processing Standards Publication, February 2001. [DR97a] J. Daemen, V. Rijmen. AES Proposal: Rijndael. http://csrc.nist.gov/encryption/aes/rijndael/rijndael.pdf, 1997. [FMS01a] S. Fluhrer, I. Mantin, A. Shamir. Weaknesses in the ey Scheduling Algorithm of RC4. Eighth Annual Workshop on Selected Areas in Cryptography, August 2001. [Riv01a] R. Rivest. RSA Security Response to Weaknesses in ey Scheduling Algorithm of RC4. http://www.rsa.com/rsalabs/technotes/wep.html, 2001. [SIR01a] A. Stubblefield, J. Ioannidis, A. D. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. AT&T Labs Technical Report TD-4ZCPZZ, August 2001. Network Security, WS 2008/09 33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information