330 likes | 341 Views
This lecture covers the use of block ciphers in cryptography, including modes of operation and differential cryptanalysis. The lecture materials are provided by David Evans from the University of Virginia's CS 588 Security and Privacy course.
E N D
Lecture 7: Using Block Ciphers David Evans http://www.cs.virginia.edu/evans Images from http://rfidanalysis.org/ CS588: Security and Privacy University of Virginia Computer Science
Menu • PS2 • Modes of Operation • Differential Cryptanalysis Sorry, PS1 is not ready to return yet! If you want it back before then, find me at my office tomorrow morning, or get it from Matt during his office hours (2:30-3:30 tomorrow) University of Virginia CS 588
Ken Elzinga’s Theory on Writing Mysteries • Requires: • Creativity • Discipline • Very few people can be both • Most good mystery novels are written by pairs: • “Marshall Jevons” = Bill Breit and Ken Elzinga • “Ellery Queen” = Manfred Lee and Frederic Danna University of Virginia CS 588
Dave Evans’ Ken Elzinga’s Theory on Writing Mysteries Cryptography • Requires: • Creativity • Discipline • Very few people can be both • Most good mystery novels are written by pairs: • Dolev-Yao, Needham-Schroeder, Diffie-Hellman, Daemen/Rijmen (AES), Blum-Blum-Shub, Rivest-Shamir-Adleman, Boneh/Franklin (IBE) designed/broken ciphers small teams University of Virginia CS 588
Creativity vs. Discipline • Creativity: mostly about breaking rules • Discipline: mostly about following rules • Rules = internal consistency, mathematical correctness, sticking with stated assumptions • US was founded by rebels and has lots of space, so we value creativity most (except in teenagers and soldiers) University of Virginia CS 588
RSA [1978] • Ron Rivest and Adi Shamir tried to find ways to implement public-key cryptography • Len Adleman poked holes in their first dozen ideas • Eventually, they found one he couldn’t • Adelman thought the cipher should be RS (but Rivest convinced him otherwise) We’ll cover RSA later after spring break, but you’ve probably heard of it already. It’s the most important cipher invented since One Time Pad (Vernam, 1917). University of Virginia CS 588
Overstatement? “The most important technological breakthrough in the last thousand years.” Lawrence Lessig (Possibly an overstatement, but he’s a lawyer) University of Virginia CS 588
PS2 Teams • Must be diverse in at least 2 of these: • Nationality • Major (CS/Math/ECE/Bioinformatics/other) • Year (Grad/4th/3rd/other) • Liked breaking two-time pad (yes/no) • Examples: • Austrailian bioinformatics major can work with anyone • USian, 4th year CS major who liked breaking two-time pad can’t work with a USian 3rd year CS major unless she/he didn’t like breaking the two-time pad • If you can get Ron Rivest, Adi Shamir or Len Adelman on your team, you don’t need to worry about the other rules Find a partner before leaving today! University of Virginia CS 588
Confidentiality Modes of Operation University of Virginia CS 588
Modes of Operation • Transmitting a long plaintext using 3DES: P = P1 || P2 || ... || PN • Electronic Codebook Mode: C = EK (P1) || EK (P2) || ... || EK (PN) • Problems: • Any identical blocks encrypted identically • 64 bits = 8 ASCII characters • Reveals lots about your message (even if unbroken) • Lots of ciphertext encrypted with same K University of Virginia CS 588
Cipher Block Chaining P2 P1 IV ... DES DES K K C2 C1 to receiver to receiver University of Virginia CS 588
Cipher Block Chaining Ci = EK (Pi Ci - 1) C1 = EK (P1 IV) Decrypt: Mi = DK (Ci ) Ci - 1 M1 = DK (C1 ) IV DK (EK (Pi Ci - 1)) Ci – 1 = Pi Ci - 1 Ci – 1 = Pi University of Virginia CS 588
shift j bits IV DES DES K K j bits j bits C1 C2 to receiver to receiver P1 P2 Cipher Feedback Mode ... Does the IV need to be secret? University of Virginia CS 588
shift j bits IV DES DES K K j bits C1 C2 to receiver to receiver P1 P2 Output Feedback Mode ... j bits University of Virginia CS 588
CFB vs OFB shift j bits IV shift j bits IV DES DES DES DES K K K K j bits j bits j bits C1 C2 C1 C2 to receiver to receiver to receiver to receiver P1 P2 P1 P2 Which is better for wireless transmissions? Which is better for preventing message tampering? University of Virginia CS 588
What does is mean to “break” a cipher? • Practical: • You can determine the plaintext corresponding to some ciphertext without the key • You can determine the key given some plaintext-ciphertext pairs University of Virginia CS 588
What does is mean to “break” a cipher? • Academic: • You have a technique that does better than brute force (e.g., break 112-bit 3DES with 2111 max attempts) • You have a techniques that does better than brute force on a weakened (less rounds, smaller block) version of cipher (e.g., break DES with 15 rounds) • You have identified some mathematical weakness if the cipher, but don’t yet know how to use it usefully (e.g., there exist two different keys that map plaintext to same ciphertext) University of Virginia CS 588
DES Attacks • Last time: • Mostly Brute force (guessing all keys) • DES keyspace is too small • But no where near good enough for 3DES • Side-Channel: Power Analysis • Now: Differential Cryptanalysis University of Virginia CS 588
Differential Cryptanalysis • [Biham & Shamir, 1990] • With enough work (247) and enough chosen plaintexts (247) can find key (compared to 256 brute force work) • Successful academic attack: takes 3 years of 1.5Mbps encrypting chosen plaintext to get enough! • Is successful practical attack on other ciphers University of Virginia CS 588
Differential Cryptanalysis Idea • Choose plaintext pairs with fixed difference: X = X X’ • Use differences in resulting ciphertext to guess key probabilities • Requires choosen plaintext: attacker chooses plaintext and receives ciphertext (e.g., SpeedyPass challenge-response protocol!) University of Virginia CS 588
One Round X X’ • X = X X’ • Xi = 0 iff Xi = Xi’ 32 bits 32 bits E/P E/P X1’ 48 bits 48 bits X1 E/P preserves values: Xi = 0 X1ep(i) = X1ep(i)’ where ep(i) is a function defined by the E table Kn X2’ X2 S S X3’ X3 32 bits 32 bits • preserves values: X2i = X1i Kn X2i’= X1i’ Kn • Xi = 0 X2ep(i) = X2ep(i)’ P P X4 X4’ University of Virginia CS 588
One Round, cont. X2’ X2 S S • Xi = 0 X2ep(i) = X2ep(i)’ X3i = X3i’ X4p(i) = X4p(i)’ X3’ X3 P P X4 X4’ (Known from ciphertext) • S-boxes are non-linear! • Xi = 0 X3s(ep(i)) = X3s(ep(i))’ • But, maybe they do probabilistically: • Xi = 0 p(X3s(ep(i)) = X3s(ep(i))’) > .5 ? p(X3s(ep(i)) = X3s(ep(i))’) < .5 ? Its a function of the key: p determined experimentally. University of Virginia CS 588
This slides are based on Howard Heys’ Tutorial on Linear and Divverential Cryptanalysis (linked from course website) Differential Characteristics Inputs: A = [A1, A2, A3…A64] B = [B1, B2, B3…B64] Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K Differences: ΔP = A B = [ A1 B1, …, A64 B64 ] ΔC = a b = [ a1 b1, …, a64 b64 ] Differential = (ΔP, ΔC) University of Virginia CS 588
Inputs: A = [A1, A2, A3…A64] B = [B1, B2, B3…B64] Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K Differences: ΔP = A B = [ A1 B1, …, A64 B64 ] ΔC = a b = [ a1 b1, …, a64 b64 ] Differential = (ΔP, ΔC) Goal • Find a particular value of ΔP for which a particular ΔC value occurs with high probability • Allows attacker to predict bits coming into last round of cipher If you know what one round of DES does, you can find the subkey for that round (fairly easily)! University of Virginia CS 588
From Howard Heys’ Tutorial on Linear and Differential Cryptanalysis http://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf University of Virginia CS 588
Remember: S-Boxes are confusing, but not secret. All DES implementataions use the same S-Boxes. S-box: S1 6 bits: x1x2x3x4x5x6 x2x3x4x5 select column x1x6 00 01 10 11 4 inputs to S1 produce 0: 011100, 000001, 111110, 111011 University of Virginia CS 588
Partial pair XOR Distribution, S1 Input XOR (6 bits) University of Virginia CS 588
What would ideal distribution be? Input XOR University of Virginia CS 588
What would ideal distribution be? Getting determinstically different outputs when the inputs are identical is really, really hard! Why can’t we just make S-Boxes that do this? Input XOR University of Virginia CS 588
Differential Cryptanalysis • Propagate experimental probabilities for 1 round through 16 rounds • After enough P-C pairs, one key becomes most probable • Difficulty depends heavily on S-Box choices • First published in 1990, but NSA knew about it in 1973! (That’s why they changed IBM’s S-Boxes!) University of Virginia CS 588
Differential Cryptanalysis • “Successful” on DES up to 15 rounds (better than exhaustive search) • By 16th round, characteristics probabilities are 2-56 • Very successful on DES variants (breaks GDES with 6 chosen plaintexts) • Very successful on FEAL (FEAL-4, FEAL-8, FEAL-N, FEAL-NX, ...) • Would be very successful on Curry Cipher (but so would less sophisticated techniques) University of Virginia CS 588
Related Techniques • Linear Cryptanalysis [Matsui, 1994] • Try to find equations like, Xi1 Xi2 … Xin Yj1 Yj2 … Yjv = 0 where Xik selects some input bit and Yjk selects some output bit such that probability it is satisfied is different from ½ • Boomerang Attack [Wagner 1999] • Slide Attacks [Biryukov & Wagner, 1999] University of Virginia CS 588
Charge • Find a partner for PS2 now • If you already have gotten past question 1 with someone, you can keep working together • Otherwise, find a partner who satisfies the diversity constraints (different in 2 or more): • Nationality • Major (CS/Math/ECE/Bioinformatics/other) • Year (Grad/4th/3rd/other) • Liked breaking two-time pad (yes/no) University of Virginia CS 588