340 likes | 493 Views
King Mongkut’s Univerity of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv. Conventional Encryption & Message Confidentiality. Acknowledgements for slides Henric Johnson Blekinge Institute of Technology, Sweden. Outline.
E N D
King Mongkut’sUniverity of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge Institute of Technology, Sweden Conventional Encryption
Outline • Conventional Encryption Principles • Conventional Encryption Algorithms • Cipher Block Modes of Operation • Key Distribution Conventional Encryption
Conventional Encryption Principles • An encryption scheme has five ingredients: • Plaintext • Encryption algorithm • Secret Key • Ciphertext • Decryption algorithm • Security depends on the secrecy of the key, not the secrecy of the algorithm Conventional Encryption
Conventional Encryption Process What do we require from the algorithm? Conventional Encryption
Requirements • The Encryption algorithm should be strong • Opponent who knows the algorithm & ciphertexts would be unable to reveal the plaintext or the key • The key is to be distributed in a secure way • Low cost chip implementation why? • Important for wide spread use • Secrecy of algorithm NOT required why? Conventional Encryption
Classification of Cryptographic Systems • The type of operations used for transforming plaintext to ciphertextexamples? • The number of keys used • symmetric (single key) • asymmetric (two-keys, - public-key encryption) • The way in which the plaintext is processed • Block cipher, stream cipher Conventional Encryption
A model for Encryptionalgorithm • Horst Feistel of IBM in 1973 • Input – • block of plaintext in two halves: (L0, R0) • Secret Key K • Encryption: N rounds of “processing” • Li-1, Ri-1, Ki Li, Ri,Ki+1 • Sub-keysKi derived from K • One round of encryption: • Ri = apply special F(Ki, Ri-1), XOR with Li-1 • Li = Ri-1 what is XOR? Conventional Encryption
Transmission and Decryption • Transmission: Two halves of ciphertext • Decryption at the receiver (receiver knows K) • Input: • Two halves of Ciphertext (Ln+1, Rn+1) • Last sub-key: KnHow receiver knows this? • Receiver uses same algorithm as encryption • Each step: create Ki , (Li, Ri ) in reverse order • Output: plaintext (L0, R0) • how to make the algorithm stronger? Conventional Encryption
Increasing the strength of the algorithm • Larger Block size • Larger Key Size • Increasing Number of rounds • Output bits depend on more input bits • Complex Subkey generation algorithm • More complex F() • What’s the price of all this? • All of the above reduce speed • why is that important? Conventional Encryption
Conventional Encryption Algorithms • Data Encryption Standard (DES) • The most widely used encryption scheme • DES encrypts block after block (block cypher) • The plaintext is processed in 64-bit blocks • The key K is 56-bits in length • Triple DES (TDES) • 3 keys, three executions of DES • Advanced Encryption Standard (AES) Conventional Encryption
DES • Encryption: • Initial permutation of the input 64-bit block ?? • 16 rounds ( using a special F function) • Swap two halves • Inverse of initial permutation • ciphertext • Decryption • Initial permutation of ciphertext 64-bit block • 16 rounds (use sub-keys in reverse order) • Swap plaintext Conventional Encryption
Concerns about DES • algorithm vulnerable? (easy way to break?) • No vulnerability found, but • The function F is very complex • Key length • DES cracker built • less $250,000, three days work to break (find key) • Much faster cracking done using internet • DES is not considered a strong algorithm • What a cracker want? What does he do? Conventional Encryption
Cracking methods • If plaintext is really text • Use statistical distribution of letters, syllables • Use existence of structure: headers, … • In conjunction with brute force • If plaintext is not text but a general binary file • Use structure if known • Brute force • Note most files have some structure • E.g. program files • Otherwise attacker would not know if he succeeded Conventional Encryption
Cryptanalysis: Average time required for exhaustive key search Conventional Encryption
Triple DES • Encryption: Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt) • P = Plaintext • C = ciphertext • EK[X] = encryption of X using key K • DK[Y] = decryption of Y using key K • Effective key length of 168 bits • We use decryption in the middle. Why? C = EK3[DK2[EK1[P]]] Conventional Encryption
Triple DES Conventional Encryption
TDES: Decryption C = EK3[DK2[EK1[P]]] DK3[C] = DK2[EK1[P]] EK2[DK3[C] = EK1[P] P = Dk1[EK2[DK3[C]]] Conventional Encryption
Encryption of Messages How a long message is encrypted? Conventional Encryption
Cipher Block Operation: ECB mode • “Electronic Code Book” • Divide message into blocks; encrypt each block • For every block a ciphertext block • Like a gigantic table: plaintext, ciphertext • plaintext blocks repeats? sameciphertext block • cracker identifies blocks, easier to crack • Improvement: design method so that repeat plaintext blocks differentciphertext blocks! • How? Conventional Encryption
Cipher Block Chaining Mode (CBC) • Ciphertext block i , Ci: • Do XOR of the current plaintext block Pi and the preceding ciphertext block, Ci-1 • Then encrypt Conventional Encryption
CBC Encryption • Create “initial value” block • XOR with first Plaintext block • Encrypt first ciphertext block • XOR with second plaintext block,… Conventional Encryption
Decryption in CBC mode • Decrypt first ciphertext block • XOR result with Initial Value Block • first Plaintext block • Decrypt second ciphertext block • XOR with first ciphertext block • second plaintext block. … Conventional Encryption
The Initial Value block IV • First ciphertext block C1 = EK (IVP1) • First Plaintext block P1 = IVDK(C1) • IV should be sent to receiver for decryption Conventional Encryption
Intitial value attcak • Consider bit j of P1 : • P1[j] = IV[j]DK(C1)[j] • If IV[j] is inverted, so is P1[j] • If attacker gets IV on the way, change it and re-send it to receiver, he can predictably change bits of P1 • What can we do to avoid this attack? • Better encrypt IV on its way • IV can be encrypted as a single block, with no chaining Conventional Encryption
Key Distribution Conventional Encryption
Types and Usages of Keys • Session key: • Data encrypted with a short lived session key • At the end of the session the key is destroyed • Permanent (or Master) key: • Used for distributing a (first/new) session key • session key encrypted by master key, sent • A (or B) can do this, • or 3’rd party C with shared master keys Ka, Kb • C is Key Distribution Center (KDC) • How Ka, Kb, are created / distributed? Conventional Encryption
Using KDC: 1. A KDC • A sends non encrypted Request for a session Key for communicating with B • Contents: { A id, B id, N1 Nonce} • Identifier of sender (A) (e.g. Address | port) • Identifier of intended party (B) • A random string (Nonce) what’s that for? • A expects that the nonce will be echoed by the receiver of this message (the KDC) • It will be encrypted so that A will know that it was echoed by KDC and not by an imposter Conventional Encryption
Using KDC: 2. KDC A • 2 parts reply encryptedby master key Ka: • Part I – to be used by A: • One time (first/new) session key • Original request (including the nonce) • A now knows session key came from KDC • A knows it’s not a replay of old reply why? • Part II - encrypted by Kb, will be sent later to B: • Session key and A id Conventional Encryption
Key Distribution Scenario Conventional Encryption
Using KDC: 3. A B • A stores the session key, forwarding Part II to B • Both A and B now know the session key • B knows that session key was created by KDC • But B is not sure whether A is not an imposter • May be it is D, who stole part II, sends to B • B checks if sender knows the session key how • 4. B A: nonce N2, encrypted by the session key • 5. A B: some predefined function of N2 f(N2) • B checks result, if OK, A knows the session key • This is Challenge response authentication Conventional Encryption
Key Distribution Scenario Conventional Encryption