320 likes | 448 Views
ELEC5616 computer and network security. matt barrie mattb@ee.usyd.edu.au. pseudorandom number generators. Sources of random numbers are desirable in many applications: Session keys Deck shuffling Challenges Nonces Unfortunately truly random sources are not easy to come by:
E N D
ELEC5616computer and network security matt barrie mattb@ee.usyd.edu.au lecture 4 :: cyphers II
pseudorandom number generators • Sources of random numbers are desirable in many applications: • Session keys • Deck shuffling • Challenges • Nonces • Unfortunately truly random sources are not easy to come by: • Thermal noise in electric circuits • Timing of Geiger counter clicks • Instead applications need to make do with a pseudorandom number generator (PRNG). lecture 4 :: cyphers II
pseudorandom number generators • Desirable properties of PRNGs are: • Repeatability • Statistical randomness • Long period/cycle • Insensitive to seeds • PRNGs are often broken by: • Statistical tests to find patterns or bias in the output sequence • Inferring the state of internal registers from the output sequence • PRNGs are usually critically important parts of the system, and often a single point of failure lecture 4 :: cyphers II
linear congruential generators • Linear Congruential Generators xn+1 = (axn + b) mod c • e.g. Unix rand() function • a, b, c are constants • Period of generator is less than c • Cannot be used for security - easily predictable! • Only need two consecutive values to reconstruct the internal state. • Was used by an Internet casino who were so sure of their code, they published their algorithms! • With expected results… • Moral of the story: don’t use it! lecture 4 :: cyphers II
linear feedback shift registers • Linear Feedback Shift Registers (LFSRs) • Seed is the initial value of the shift register • Feedback network based on polynomials over finite fields • Easy and very fast in hardware (1 bit per clock) • Problem: • Tap configuration can be determined from 2n output bits n bit shift register lecture 4 :: cyphers II
rc4 • Wide applications in cryptography • Based on permutations of a 256 byte array • The seed is the initial value of the array • RC4’s key scheduling algorithm has problems (WEP weakness) i,j=0; while (1) { i = i + 1 (mod 256); j = j + s[i] (mod 256); swap (s[i], s[j]); t = s[i] + s[j] (mod 256); output s[t]; } …. s lecture 4 :: cyphers II
other PRNGs • ANSI X9.17 • Based on 3DES • DSA PRNG • Based on SHA or DES • RSAREF PRNG • Based on MD5 hashing and addition modulo 2128 lecture 4 :: cyphers II
using PRNGs • Be extremely careful with PRNG seeds! • Hash PRNG inputs with a timestamp or counter • Reseed the PRNG occasionally • Use a hash function to protect PRNG outputs if PRNG is suspect lecture 4 :: cyphers II
stream cyphers • In a OTP, the secret key is the random n-bit stream. • Stream cyphers replace this random stream with a pseudorandom bitstream. • The secret key is the seed used to generate the pseudorandom stream. E(m, seed) = m RNG(seed) D(c, seed) = c RNG(seed) seed pseudo random stream plaintext cyphertext lecture 4 :: cyphers II
security of stream cyphers • Trade-off: excellent secrecy for ease of implementation / use. • The security of the cypher is dependent on the security of the pseudorandom number generator. • It should be computationally hard to determine either the seed or the next number in sequence. • Since the random number generator is deterministic, the seed should only be used for one session. • Stream cyphers are much faster than block cyphers. • To avoid using the same seed twice, we can encrypt it using stronger crypto and append to the ciphertext (to tell the other party): E(m, k) = DES(seed, k) || m RNG(seed) (strong) (fast) lecture 4 :: cyphers II
History of DES 1970s IBM Research Team led by Feistel devises a cypher called LUCIFER with a 128-bit message, ciphertext and keyspace. 1973 NBS (now NIST) asks for a proposed data encryption standard. 1974 IBM develops DES from LUCIFER. 1975 The NSA “fixes” DES • shortens key to 56 bits (on 64 bit blocks) • plays with S (substitution) boxes • additional permutations 1977 DES adopted and heavily used to secure financial transactions. 1991 Biham & Shamir discover modifications made DES resilient to differential cryptanalysis. 1993 Michael Wiener from Nortel theorises a USD$1M machine could crack DES in 3.5 hours using off the shelf components 1997 DES cracked by brute force by Distributed.net in 96 days. 1997 NIST asks for proposal for AES (advanced encryption standard) 1999 DES cracked by brute force again in 24 hours using Distributed.net and the EFF USD$250,000 Deep Crack machine 2000 Rijndael accepted as new AES standard (128/192/256 bit keyspace, 128 bit blocks). lecture 4 :: cyphers II
NSA • Was the NSA playing the resource game? • "NSA doesn't want a strong cryptosystem as a national standard, because it is afraid of not being able to read the messages. On the other hand, if NSA endorses a weak cryptographic system and is discovered, it will get a terrible black eye." - EFF 1998 lecture 4 :: cyphers II
DES • Data Encryption Standard (DES) • Block cypher (64-bit blocks, 56-bit key) • 16-round Feistel network: • A particular construction which is reversible: c = DESk(m) m= DESk(c) • Note: key schedule is reversed • Operates in many different modes • World’s most heavily used and analysed cypher • We still don’t understand it properly after 25 years • The NSA knew more than we do now, 20 years ago lecture 4 :: cyphers II
feistel networks • Ladder structure • Input is split into two blocks, the left and right halves • The functions f1 … fk are arbitrary mappings: f1 … fk : {0,1}n→ {0,1}n left half right half l0 each round: li = ri-1 ri = li-1 fi(ri-1) r0 round 1 round 2 round 3 f1 l1 r1 f2 l2 r2 f3 r3 l3 lecture 4 :: cyphers II
feistel structure • Express cypher as combination of successive round functions (can be any number of rounds): Ψ(f1, f2, f3) • To decrypt, simply use the rounds in reverse order i.e. : Ψ-1(f1, f2, … , f2k-1) = Ψ(f2k-1, … , f2, f1) • Round functions do not need to be invertible • If fi are random functions then Ψ() is indistinguishable from a random permutation under a chosen plaintext attack • This lets us turn any one-way function into a block cypher • We can thus optimise round functions individually lecture 4 :: cyphers II
Diffusion and Confusion • Many modern symmetric cyphers are based upon two principles: • Diffusion is used to dissipate the statistical structure of the plaintext into long range statistical properties of the cyphertext • We try to make the statistical relationship between plaintext and cyphertext complex so they key cannot be derived- ideally by having each plaintext bit affect as many as possible cyphertext bits. • In cypher design, we try to get the cyphertext symbol, digraph and trigraph frequencies as evenly distributed as possible, and ideally flipping a bit of the plaintext will result in a 50% probability of each bit flipping in the cyphertext • Diffusion is usually achieved through repeat application of a permutation function • Sometimes seen as a ‘P-Box’ in cyphers • Confusion is used to make the relationship between the cyphertext and the key as difficult as possible • Usually achieved through application of a complex substitution function • Usually seen in the form of a n x m bit ‘S-box’ • Think of a n-bit address line into a n x m-bit RAM (storing a non-linear function) lecture 4 :: cyphers II
DES structure Initial permutation to discourage software implementations (transposition) Plaintext split into left and right halves (each 32 bits, expanded to 48) • S-boxes to confuse (substitution) • P-boxes to diffuse (permutation) 16 rounds Key schedule s1..s16 derived from key (each is 48 of 56 bits) Inverse of initial permutation lecture 4 :: cyphers II
DES internals • 16 round Feistel network with functions f1 … f16 derived from the key (through the key scheduling algorithm) • DES can be defined by the following equations: M = L0R0 # |L0| = |R0| = 32 bits Li = Ri-1 # 16 rounds Ri = Li-1 F(Ri-1, ki) C = R16L16 #output • Each ki is the ith subkey derived from the key k according to a key schedule. lecture 4 :: cyphers II
DES round functions • The function F(x,ki): {0,1}32 x {0,1}48→ {0,1}32 x (32 bits) ki (48 bits) 48 bits 48 bits S-box (substitution) nonlinear confuse 6 bits x 8 s1 s8 4 bits x 8 32 bits P-box (permutation) diffuse P lecture 4 :: cyphers II
avalanche effect in DES • DES is designed so that a minor change in the key or the plaintext results in a dramatic change in the cyphertext. Round Bit change in plaintext Bit change in key (#bits different in cyphertext) (#bits different in cyphertext) 0 1 0 1 6 2 2 21 14 3 35 28 4 39 32 5 34 30 6 32 32 7 31 35 8 29 34 9 42 40 10 44 38 11 32 31 12 30 33 13 30 28 14 26 26 15 29 34 16 34 35 Change quickly avalanches, so difference between cyphertexts approaches that of any two chosen at random (half the bits in error on average) lecture 4 :: cyphers II
DES is broken • DES has been found to hold up well against many forms of cryptanalysis, but fell to brute force. • The problem is that Moore’s Law has caught up. • Security is all about resources, and these resources ride the silicon curve. • 1993: Michael Wiener theorises USD$1M machine brute force in 3.5 hours. • 1997: www.distributed.net 78,000 PCs brute force DES in 96 days. • 1998: EFF Deep Crack machine (USD$250k) and Distributed.net breaks in less than a day (3 days for the whole keyspace) • 2001: Sub-USD$1M custom chip machine brute force in under 30 minutes. • 2003: FPGAs exploiting optimum cost/performance. lecture 4 :: cyphers II
EFF DES cracker • Based on low-volume gate array machine built with AWT • Exploits Hardware parallelism: • 24 DES Search Units / Chip • 64 Chips / Board (~1800 chips total) • 27 Boards total in 2 Sun VME Chasses • DES performed in 16 cycles • Clocked at 40MHz ! • 2.5 Million keys / second (each unit) • Total Cost (1997): USD$250k • Brute force keyspace in 3 days lecture 4 :: cyphers II
cryptanalysis cost metrics 1993 Wiener’s theoretical machine 1.3 x 1010 d-s 1997 Distributed.net effort 6.5 x 1014 d-s • Assuming $1000/machine! 1998 EFF Deep Crack 6.5 x 1010 d-s Moral of the story: • Highly-parallel special-purpose hardware is much more efficient than massively-parallel general-purpose processors. The Future? • Cryptanalysis using modern FPGAs • e.g. Xilinx Virtex-II Pro – 125,000 CLBs and up to 4 PPC Cores @ 400MHz • Gain efficiencies using highly-parallel arrays of crack cores • FPGAs can clock @ 100-200MHz vs. 40MHz • 4x higher densities • Arbitrary function blocks in modern CLBs ideal for P/S-boxes • Exhaust space in 3-7 hours for same cost as DES cracker? lecture 4 :: cyphers II
FPGA Cryptanalysis • In 2003 Ian Howson and I examined cost/performance metrics for FPGA implementations of key search machines. • We showed that DES Cracker could be rebuilt using 622 Xilinx XC2S200E devices for a total hardware cost of $15,540. lecture 4 :: cyphers II
DES modes of operation • Electronic Code Book (ECB) • Each 64 bit block is encrypted separately. • Vulnerable to dictionary attacks. plaintext m0 Ek Ek Ek Ek Ek Ek c0 cyphertext lecture 4 :: cyphers II
ECB properties • Identical plaintext blocks result in identical cyphertext blocks • Blocks are enciphered independently • reordering cyphertext blocks results in reordered plaintext blocks • ECB thus not recommended for messages > 1 block or reuse over more than one message. • Error Propagation: one or more bit errors in a cyphertext block only affects the corresponding plaintext block • In general for a typical cypher decryption for this block results in random plaintext (i.e. 50% of plaintext in error) • Can strengthen through the use of random padding bits lecture 4 :: cyphers II
cypher block chaining (CBC) • Cypher Block Chaining (CBC) • Blocks are chained together • IV is some predetermined value plaintext m0 IV Ek Ek Ek Ek Ek Ek c0 cyphertext lecture 4 :: cyphers II
CBC properties • Identical plaintexts result in identical cyphertexts when the same plaintext is encyphered using the same key and IV. • Changing one or more of k, IV or m0 affects this. • Chaining dependencies • Cyphertext cj dependends on m0 … mj • Rearrangement of cyphertext blocks affects decryption • Error propagation • Bit error in cyphertext cj affects decyphering of cj and cj+1. • Recovered block m’j typically results in random bits • Bit errors in recovered block m’j+1 are precisely where cj was in error. • Attacker can cause predictable bit changes in mj+1 by altering cj • Bit Recovery • CBC is self-synchronising or cyphertext autokey in that if a bit error occurs in cj but not cj+1, then cj+2 correctly decrypts to mj+2 lecture 4 :: cyphers II
output feedback mode (OFM) • Output Feedback Mode (OFM) (effectively a stream cypher) plaintext m0 Ek Ek Ek Ek Ek Ek IV keystream c0 cyphertext lecture 4 :: cyphers II
properties of OFB • Identical plaintexts result in identical cyphertexts when the same plaintext is enciphered using the same key and IV. • Chaining dependencies • The keystream is plaintext independent • Error propagation • one or more bit errors in any cyphertext block results only in decipherment of that block in the precise position of error • Error recovery • OFB recovers from cyphertext bit errors but not bit loss (results in unalignment of keystream) • Throughput • Keystream may be independently calculated (e.g. precomputed) • IV must be changed if the key is reused lecture 4 :: cyphers II
evaluating block cyphers and modes • Estimated Security Level • Confidence grows the longer it has been openly analysed. • Key Size • An upper bound on the security of the cypher (i.e. brute force). • Longer keys have added costs to key generation, distribution, storage, difficulty to remember passwords, key recovery (!) • Throughput • Relates to affinity of design to implementation • Block Size • Larger is better but more costly • Complexity of Cryptographic Mapping • Data Expansion • Error Propagation • Effect of bit errors differs between cyphers and mode of operation lecture 4 :: cyphers II
references • Handbook of Applied Cryptography • §7.1 - §7.4 • Stallings (3rd Ed) • §3 lecture 4 :: cyphers II