1 / 45

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

School of Computer Science. CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012. Wednesday, Jan. 25, 2012. Review. Types of keys – Symmetric Key. Same key for decryption and encryption P = D(K, E (K, P)) or conventional / private-key / single-key

avedis
Download Presentation

CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. School of Computer Science CS 445 / 645 Internet Security Mon & Wed, 11:30 AM ~ 12:45 PM @ SEB 1240 Spring, 2012 Wednesday, Jan. 25, 2012 CS 445 – Internet Security

  2. Review CS 445 – Internet Security

  3. Types of keys – Symmetric Key • Same key for decryption and encryption • P = D(K, E (K, P)) • or conventional / private-key / single-key • sender and recipient share a common key • all classical encryption algorithms are private-key CS 445 – Internet Security

  4. Types of keys – Asymmetric Key • Solving the symmetric key problem • After a few thousand years of search, a solution was found in 1970’s • Different keys for encryption and decryption • Encryption key: KE • Decryption key: KD • P = D(KD, E (KE, P)) • Asymmetric key CS 445 – Internet Security

  5. Substitution Cipher - Caesar cipher • ci= E(pi) = pi + 3 TREATY IMPOSSIBLE Wuhdwb lpsrvvleoh • Can be broken easily by frequency analysis CS 445 – Internet Security

  6. Breaking Caesar Cipher frequency analysis p (c) Caesar’s cipher can be easily solved (i.e., finding i) by calculating (i) = 0 ≤ c ≤ 25f(c) p(c – i), where f(c) is the freq of cipher text letter CS 445 – Internet Security

  7. Another Substitution Cipher- One-Time Pad • One time pad = A large, nonrepeating set of keys • Encrytion and decryption • A section of the key is used once and destroyed • The receiver needs an identical pad to decrypt • It is a perfect cipher • Information-theoretically secure  IMPOSSIBLE to break • Data + Random = Random CS 445 – Internet Security

  8. One-time pad concept • Message: 1011 0010 . . . . . • Random number: 0110 1001 . . . . . • Encryption method: Exclusive OR • 0 0 = 0 • 0 1 = 1 • 1 0 = 1 • 1 1 = 0 • Encryption result 1011 0010 0110 1001 1101 1011 • Decryption result 1101 1011 0110 1001 1011 0010 CS 445 – Internet Security

  9. Columnar Transposition Example THIS IS A SAMPLE MESSAGE T H I S I S A S A M P L E M E S S A G E tsps hals isea samg imee tspsh alsis iasam gimee • Trivial to solve • You only need to know the number of columns CS 445 – Internet Security

  10. Breaking transposition cipher • Characteristic patterns of adjacent letters • Digram (pairs of letters) • Trigram (triples of letters) • Frequent occurrences • endings: -th, -ing, -ed, -ion, -ation, -tion,… • beginnings: im-, in-, re-, un-, en-, ... • patterns: -eek-, -oot-, -our-, … • words: of, end, to, with, are, is, … • Certain pairs of digrams and trigrams do not appear • E.g., -vk- and –qp- CS 445 – Internet Security

  11. Symmetric Key Encryption Algorithms DES

  12. Feistel Cipher • By Horst Feistel from IBM • Encryption and decryption operations are very similar. • First seen commercially in IBM’s Lucifer cipher • Partitions input block into two halves • multiple rounds which perform a substitution on left half • round function of right half & subkey • then have permutation swapping halves • Implements Shannon’s substitution-permutation network concept • Bit-shuffling (P-boxes) • Simple non-linear functions (S-boxes) • Linear mixing using XOR CS 445 – Internet Security

  13. IBM’s Lucifer • IBM was hired by Lloyds of London to arrange security for a cash dispensing network (early ATM machines.) • IBM developed Lucifer cipher • by team led by Feistel • used 64-bit data blocks with 128-bit key • Then redeveloped as a commercial cipher with input from NSA and others CS 445 – Internet Security

  14. Birth of DES (Data Encryption Standard) • In 1973 National Bureau of Standards (NBS) issued request for proposals for a “Data Encryption Standard” after consulting with the NSA • None met the criteria, second request issued in 1974 • IBM submits Lucifer to NBS • NBS submits Lucifer to NSA • NSA returns Lucifer with “tweaks” (was controversial) to S-boxes and 56-bit key • Strength of the cipher was reduced - Probably NSA did not want an encryption they could not break • This weakened version was officially adopted by NBS (now NIST) on Nov 23, 1976, and was called the Data Encryption Standard (DES), • NIST defined Triple DES (3DES) in 1999 CS 445 – Internet Security

  15. Controversy over DES • Lucifer was susceptible to differential cryptanalysis. • Differential Cryptanalysis (Chosen Plaintext attack) • Observes how differences in an input affects the output. • a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key. • Published in late 1980’s • NSA couldn’t tell anybody! • Technique was secret until independently discovered by Adi Shamir • S-box changes by NSA made differential cryptanalysis useless against DES • IBM published a paper on this in the 90s. • DES is still not broken (except brute force attack) CS 445 – Internet Security

  16. Data Encryption Standard (DES) • Most widely used block cipher in the world • A Feistel Cipher • Block cipher with 16 iterations • Combination of substitution and transposition • Encrypts a 64-bit block of plain text using a 56-bit key • Three phases • Permute the 64 bits in the block • Apply a given operation 16 times on the 64 bits • Permute the 64 bits using the inverse of the original permutation 1st phase Round 1 . . . key 2nd phase Round 16 3rd phase CS 445 – Internet Security

  17. DES Algorithm 32-bit 32-bit 56-bit 48-bit 48-bit 32-bit 48-bit (different for each stage) 32-bit 48-bit 48-bit Cycles of Substitution and Permutation. 32-bit 32-bit CS 445 – Internet Security

  18. S-Box • Eight S-boxes which map 6 to 4 bits • Each 48-bit input is broken into 8 blocks, fed to each S-box • Each S-box is actually 4 little 4-bit boxes • outer bits 1 & 6 (row bits) select one rows • inner bits 2-5 (col bits) are substituted • result is 8 lots of 4 bits, or 32 bits • Example: 6×4-bit S-box (S5) • E.g., an input "011011" has outer bits "01" and inner bits "1101"; the corresponding output would be "1001". CS 445 – Internet Security

  19. Is the 56-bit key secure enough? • No • In 1997, using 3,500 machines in parallel, DES key is found in 4 months • In 1998, a DES-cracker machine ($100,000) found the key in 4 days • In 1999, less than 24 hours • Now? After 12 years…. • http://www.sciengines.com/copacobana/ or cloud • The short key was controversial from the moment it was introduced • How can we increase the key size? • Repeat DES multiple times • Double DES • Using two keys, encrypt twice, E(k2, E(k1, m)) • But wait! The security is not same as 112-bit key (Meet-in-the-middle attack) CS 445 – Internet Security

  20. Meet-in-the-middle attack • c= E(k2, E(k1, p)) • Assume attacker knows two pair of c and p • Attacker computes E(ki, p)) for all possible keys ki and stores them in a table • Memory space = 256 * p = 64,000,000,000,000,000 *p (64 peta entries) • Attacker then computes D(ki, c)) for each kiand compares the result with the table entries • Time complexity • 256 for E + 256 for D = 257 not 2112 ! Then sort by ciphertext CS 445 – Internet Security

  21. Triple DES • TDEA, or 3DES (in 1999) • E(k3, E(k2, E(k1, m))) • EEE • Key length = 168 bits, but the effective security is 112 bits due to meet-in-the middle attack • Best attack requires around 232 known plaintexts, 2113 steps, 290 single DES encryptions, and 288 memory (1998) • E(k3, D(k2, E(k1, m))) • EDE • Why? For backward compatibility with single-key DES (k1=k2) • Drawbacks • Relatively sluggish in software • Block size of 64-bit is too small CS 445 – Internet Security

  22. Symmetric Key Encryption Algorithms AES

  23. AES (Advanced Encryption Standard) • To replace DES, NIST issued a call in 1997 • The algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128, 192, and 256 bits. • Such ciphers were rare at the time • Must not be patented and be public • NIST won praises from the cryptographic community for the openness in the standards process • Held 3 conferences AES1 (1998), AES2 (1999), AES3 (2000) • Candidates • First round (1998): 15 algorithms (CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish) • Second round (1999): 5 algorithms (MARS, RC6, Rijndael, Serpent, and Twofish) CS 445 – Internet Security

  24. AES (Advanced Encryption Standard) • Rijndael was selected in Oct 2000 • Named after two inventors, Rijmen + Daemen, from Belgium • US picked a foreign-designed cipher as its standard! • Approved on November 2001 • AES = A Block cipher • Block size = 128 bits, Key size = 128, 192, 256 • Note: Original Rijndael allows key and block size in any multiple of 32 bits (128 ~256 bits) • Number of cycle is flexible = 10, 12, 14 • Not a Feistel network, but a S-P network • All S-boxes (8-bit) are identical • 6 times faster than DES CS 445 – Internet Security

  25. AES Operation • Data block of 4 columns of 4 bytes is state • Four different stages are used, one of permutation and three of substitution (except the last round) • byte substitution (1 S-box used on every byte) • shift rows (permute bytes between groups/columns) • mix columns (subs using matrix multiply of groups) • add round key (XOR state with key material) • Only the Add Round Key stage makes use of the key • Each stage is reversible • Add round key stage can be reversed with key • P  K K= P CS 445 – Internet Security

  26. AES Operation CS 445 – Internet Security

  27. AES • http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf CS 445 – Internet Security

  28. Security of AES • No attack has succeed yet, but still it need to stand “test of time” • Many attack attempts are being made • US government usage recommendation • Up to SECRET class: all key sizes • TOP SECRET: with 192 or 256 bit CS 445 – Internet Security

  29. Random Numbers

  30. Random Numbers • Many uses of random numbers in cryptography • nonces in authentication protocols to prevent replay • session keys • public key generation • keystream for a one-time pad • In all cases its critical that these values be • statistically random, uniform distribution, independent • Unpredictability of future values from previous values • True random numbers provide this • Care needed with generated random numbers CS 445 – Internet Security

  31. Netscape’s “secret” key in 1995 • Random number = strings of only 40 bits • hackers were able to break these codes, even with mid-1990s computer speeds, in about 30 hours. • Based on just three values —all predictable! • time of day • process identification number • parent-process identification number • This allowed the attackers to reduce the number of keys that they needed to try • http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator (sep, 2011 IEEE Spectrum) CS 445 – Internet Security

  32. Pseudorandom Number Generators • Often use deterministic algorithmic techniques to create “random numbers” • Not truly random • But it can pass many tests of “randomness” • Known as “pseudorandom numbers” • Created by “Pseudorandom Number Generators (PRNGs)” CS 445 – Internet Security

  33. Random number generators • Seed: a fixed value • Context specific values: User ID, application ID CS 445 – Internet Security

  34. Getting True Random Numbers • Physical methods • Dice, coin flipping, roulette • Radioactive decay, thermal noise, clock drift • Hardware random number generator • SSL Accelerator card • Intel’s method • RdRand instruction from 2012 (Digital RNG) • Web service • www.random.org CS 445 – Internet Security

  35. Symmetric Key Encryption Algorithms RC4

  36. Stream Cipher • Pseudo one-time pad • Requirements • long period with no repetitions • statistically random • depends on large enough key • large linear complexity • properly designed, can be as secure as a block cipher with same size key • but usually simpler & faster CS 445 – Internet Security

  37. RC4 • Designed by Ron Rivest of RSA Security in 1987 (Rivest Cipher 4) • Stream cipher • Encrypt one bytes at a time • Almost random number: Period of cipher is greater than 10100 • You can use it as a random number generator • Very fast • 8-16 machine instructions per output byte • Popular method, including WEP, WPA and SSL. • thanks to its impressive speed and simplicity. CS 445 – Internet Security

  38. RC4 • RC4 generates a pseudorandom stream of bits (a "keystream") which, for encryption/decryption, is combined with the plaintext using XOR • Key size 40~256 bits (5 to 32 bytes) • Inputs: Key and Data • Output: Unique keystream of data (PRGA) equal to the length of input data • Example • Plaintext = 1010 • keystream = 0011  • Ciphertext = 1001 CS 445 – Internet Security

  39. How does it work? • Key scheduling algorithm (KSA) • A variable length key, between 40 and 256 bits, is used to initialize the 256-byte state vector (S) • Pseudo Random Generation Algorithm (PRGA) • To generate the keystream, the cipher makes use of a secret internal state which consists of two parts: • A permutation of all 256 possible bytes (S). • Two 8-bit index-pointers (denoted "i" and "j"). • A byte k is generated from S, and S is again permuted CS 445 – Internet Security

  40. Caution • Use unsigned char for data types • The output is probably unprintable character • Print the decimal values CS 445 – Internet Security

  41. 1. The key-scheduling algorithm (KSA) • Initializes the permutation in the array S. • keylen is defined as the number of bytes in the key and can be in the range 1 ≤ keylen ≤ 256, typically between 5 and 16. • First, the array "S" is initialized to index number. • S is then processed for 256 iterations • The only operation is swap, so original content is not changed for i from 0 to 255 S[i] := i; j := 0; for i from 0 to 255 { j := (j + S[i] + key[i mod keylen]) mod 256; swap(S[i], S[j]); } CS 445 – Internet Security

  42. 2. The pseudo-random generation algorithm (PRGA) • Once KSA is completed, PRGA modifies the state and outputs a byte of the keystream. In each iteration, • the PRGA increments i, • adds the value of S pointed to by i to j, • exchanges the values of S[i] and S[j], • outputs the value of S at the location S[i] + S[j] (modulo 256). • Each value of S is swapped at least once every 256 iterations. i, j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(S[i], S[j]) output S[ (S[i] + S[j]) mod 256 ] (Byte of the key stream, K) CS 445 – Internet Security

  43. Security of RC4 • The keystream generated by RC4 is slightly biased in favor of certain sequences of bytes. • Attack by Fluhrer and McGrew. • RC4 does not take a nonce alongside the key. • Not recommended for use in new applications. • Fluhrer, Mantin and Shamir attack (2001) • The statistics for the first few bytes of output keystream are strongly non-random, leaking information about the key. • This and related effects were then used to break the WEP. • Can avoid by discarding the initial portion of the keystream (say the first 1024 bytes) CS 445 – Internet Security

  44. Speed comparison RSA Enc ~ 1024 bit/8 * 1000/0.18 = 711 KB/sec RSA Dec ~ 1024 bit/8 * 1000/4.77 = 27 KB/sec http://www.cryptopp.com/benchmarks.html CS 445 – Internet Security

  45. Next class • More on symmetric Key algorithms • Modes of operation • Other symmetric key algorithms • Public Key Algorithms • RSA • DH CS 445 – Internet Security

More Related