510 likes | 672 Views
Symmetric cryptography. (Slides by Jaap-Henk Hoepman & Jeroen Doumen). Contents. Basics History Ciphers Attacks Hashing. Cryptology goals. Confidentiality Data integrity Authentication Non-repudiation. Cryptology. Cryptography The art of making Cryptanalysis The art of breaking.
E N D
Symmetric cryptography (Slides by Jaap-Henk Hoepman & Jeroen Doumen)
Contents • Basics • History • Ciphers • Attacks • Hashing
Cryptology goals • Confidentiality • Data integrity • Authentication • Non-repudiation
Cryptology • Cryptography • The art of making • Cryptanalysis • The art of breaking
Example 1 • What’s the message? Greetings to all at Oxford. Many thanks for your letter and for the summer examination package all Entry forms and Fess Forms should be ready for final dispatch to the Syndicate by Friday 20th or at the very latest, I’m told, by the 21st. Admin has improved here, though there’s room for improvement still; just give us all two or three more years and we’ll really show you! Please don’t let these wretched 16+ proposals destroy your basic A and O pattern. Certainly this sort of change, If implemented immediately would bring chaos.
public? Secret! Secret! secret? Cryptography plaintext e.g. “attack at dawn” encrypt decrypt ciphertext e.g. “sdwr$350/.]{]gtdfc” “attack at dawn”
“gfd6#Q” “attack” Algorithms + keys • Cipher (aka cryptosystem) • “Public” algorithm + • Secret keys “attack” “sdwr$350” encrypt decrypt
Encrypt/Decrypt • Block oriented • E.g. 256 bits in or out • One-to-one • 1 plaintext maps to 1 ciphertext, and vice-versa • What’s the disadvantage of one-to-many?
Block representation “attack at dawn” ascii 97 116 116 97 99 107 32 97 116 32 …. binary 01100011 01101011 00100000 01100001 32 bits block
History • Monoalphabetic substitution • Caesar • Polyalphabetic substitution • Vigenere • Transposition cipher
Caesar cipher • Replace plaintext letter by letter 3 places further down the alphabet A=1, B=2, C=3, … Encrypt: C = P+3 Decrypt: P = C-3
Caesar: example • Problem: • Letter frequency undisturbed • High frequency ciphertext letters map to high frequency plaintext letters • Solution • Increase the blocksize • To at least 4-5 letters “attackatdawn” “dwwdfndwgdzq”
Vigenere cipher • Code letters as numbers (A=0, B=1, etc.) • Key is keyword • Encrypt • Add keyword to plaintext (letter by letter) • Decrypt • Subtract keyword from ciphertext • Example wearediscoveredsaveyourself deceptivedeceptivedeceptive ZICVTWQNGRZGVTWAVZHCQYGLMGJ +
Plaintext • Text • Distribution of characters known • Distribution of bi-graphs also known: • Data • Format known E: 12% T: 9 % A,I,N,O,R: 8% TH: 3.2% HE: 3.1 % ER: 2.1% <account>87539</account> <amount>1234</amount>
Transposition cipher • Change order of letters in the message “meet me after the toga party” M e m a t r h t g p r y e t e f e t e o a a t “mematrhtgpryetefeteoaat”
Modern ciphers: principles • Confusion • Substitution • Diffusion • Transposition
Encryption • Goal • Data confidentiality • NOT INTEGRITY • Requirements • Ciphertext should not give information about plaintext (or key…) • Ciphertext should look random • Except when key is known • This should hold even if large number of ciphertext / plaintext pairs are known
Stream cipher Stream generator Key stream (bits, or bytes) xor Plaintext stream Ciphertext stream
XOR • XOR truth table: • Property: (c + k) + k = c • We can use same keystream generator to encrypt and to decrypt!
Stream ciphers • Faster and less complex in hardware • (Almost) no buffering • No error propagation • Most streamciphers are confidential • GSM A5/1 -- broken! • Military
Block cipher n bit plaintext block encrypt decrypt n bit ciphertext block
Encrypting larger messages • Operation modes • Electronic codebook (ECB) • Cipher Block Chaining (CBC) • Cipher Feedback (CFB) • Output Feedback (OFB)
ECB mode block block • Same plaintext block maps to same ciphertext block • Reordering, replacing possible • No error propagation • Bit changes only; bit deletions/omissions are a problem encrypt encrypt block block
CBC mode IV block block encrypt encrypt block block • Same plaintext block maps to different ciphertext block • Reordering, replacing not possible • Depending on previous block • Limited error propagation • Affects only current and next block
CFB mode IV • Works like a stream cipher • Self-synchronizing encrypt Ciphertext stream Plaintext stream
OFB mode IV • Works like a stream cipher encrypt Plaintext stream Ciphertext stream
Example: Mickey Mouse • Original picture
Example: Mickey Mouse • Encrypted in ECB mode
Example: Mickey Mouse • Encrypted in CBC mode
Block Cipher design • Iterate a round function • Two different types: • Feistel cipher (e.g. DES) • Substitution-permutation network (e.g. AES) • Round function build from linear functions and S-boxes (nonlinear).
S-Box • Non linear function • Implemented by table • Large table => strong cipher • But large table hard to implement
One Feistel round Li Ri Usually determined by keyschedule P S S S “round key” is derived from key S Li+1 Ri+1
One S/P round Can be determined by keyschedule S S S S S S S S “round key” is derived from key P
AES • Advanced Encryption Standard, published by NIST as FIPS PUB 197 in 2001. • Selected from 15 candidates by NIST in an open selection process. • Successor of DES.
AES properties • Block size 128 (or 194 or 256) bit • Key size 128, 194 or 256 bit • 10, 12 or 14 rounds depending on key length. • Substitution/permutation network, composed of: • Byte substitution • Shift rows • Mix columns • Round key addition
Byte substitution • Plaintext is usually 128 bits, or 16 bytes S
Shift rows and mix columns • Diffusion is reached in two steps • Shift rows
Shift rows and mix columns • Diffusion is reached in two steps • Mix columns Multiply by fixed matrix
Round key addition • Finally, the round key is XOR-ed = Round key
Attacks • Ciphertext only • Known plaintext • Chosen plaintext • Adaptive chosen plaintext • Chosen ciphertext • Adaptive chosen ciphertext passive active
Attacks • Brute force keysearch • passwords • Timing attack • Differential cryptanalysis • Birthday attack • Probability that 2 people of a group of 23 share the same birthday! • 23 ~ square root of 356 (roughly)
Hashing • (Public) Hash function h • Computes fixed length hash for arbitrary plaintext • Goal • Data integrity • Requirements • Pre-image resistant (“hard to invert”) • Hard to find x such that h(x)=z for given hash z • Collision resistant • Hard to find x,y such that h(x)=h(y) • Sometimes keyed
Error detected because h(m’)<>h(m) Accepted! MDC does not prevent forgery m ; h(m) m’ ; h(m’) Using hash functions • Detect modifications (MDC) • Unkeyed hash • Prevent forgery (MAC) • Keyed hash Actually, not secure like this… m ; h(k,m)
SHA • Developed by NIST and published as FIPS 180 in 1993 (SHA-1: FIPS 180-1 of 1995); • Input: arbitrary message < 2^64 bits • Split into 512 bit blocks • Output: 160 bit message digest • New: SHA-{128,256,512}
160 160 160 160 160 160 SHA-1 Message padded to multiple of 512 bits message padding: 10..00 length 512 bits 512 bits 512 bits Y HSHA HSHA HSHA IV CVi CVi+1 output
Remarks • SHA-1 stronger than MD5 • Also RIPEMD-160 • Especially against brute force • SHA-1 slower than MD5 • More rounds • Both perform well on 32 bit architectures • Don’t use MD5