1 / 79

Secret-key encryption: AES Model Terminology AES

Applied cryptography: encryption and digital signature Secret-key encryption: AES Public-key encryption: RSA Digital signature. Secret-key encryption: AES Model Terminology AES. Security problem. eavesdropper. Eve: eavesdropper. Open networks. How are you? This is Alice. Alice. Bob.

michel
Download Presentation

Secret-key encryption: AES Model Terminology AES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied cryptography: encryption and digital signatureSecret-key encryption: AESPublic-key encryption: RSADigital signature Network Security

  2. Secret-key encryption: AESModelTerminologyAES Network Security

  3. Security problem eavesdropper Eve: eavesdropper Open networks How are you? This is Alice. Alice Bob Network Security

  4. Secret-key encryption eavesdropper ??? Open networks Encryption/ decryption Encryption/ decryption ?Xx#4fa9$3pd1@$^85f Alice Bob Secure channel K K Network Security

  5. Model cryptanalysis P’, K’ Encryption: E Decryption:D C: ciphertext P: plaintext P: plaintext K: key K: key Network Security

  6. Terminology • Plaintext P: the message • Ciphertext C: the encrypted message • Secret key K: a binary string of some fixed length • Encryption algorithm E • E(K,P)=EK(P)=C • Decryption algorithm D • D(K,C)=DK(C)=P, for C=EK(P)=C • D(K, E(K,P))=P Network Security

  7. Terminology (cont.) • Cryptosystem (or code) • Key space: the set of all possible keys • Message space: the set of all possible messages • Ciphertext space: the set of all possible ciphertexts • Encryption algorithm: key spacemessage spaceciphertext space • Decryption algorithm: key spaceciphertext spacemessage space Network Security

  8. General use • All users use the same encryption and decryption algorithms • A pair of users establish a secret key from the key space between them • Each user has N-1 keys • Total N(N-1)/2 keys • Alice and Bob use KA,B for secure communication, where KA,B is known to Alice and Bob only Network Security

  9. Performance requirement • Encryption and decryption algorithms must • Simple • Very fast • Secure • Software implementation • 10M-100M bits per second • Hardware implementation • 100M-1G bits per second Network Security

  10. Cryptanalysis: basic assumptions • Encryption and decryption algorithms are public • Only the key is unknown • Successful attack • Get partial or whole key • Get partial or whole plaintext of the challenge ciphertext Network Security

  11. Attack types • Ciphertext only attack • Given some ciphertext C1, C2,… • Known plaintext attack • Given some pairs of plaintext and ciphertext(P1,C1), (P2,C2),… • Chosen plaintext attack • Given pairs of plaintext and ciphertext (P1,C1), (P2,C2),…, where Pi’s are chosen by the attacker Network Security

  12. Attack types (cont.) • Chosen ciphertext attack • Given pairs of plaintext and ciphertext (P1,C1), (P2,C2),…, where Ci’s are chosen by the attacker • Chosen text attack • Given pairs of plaintext and ciphertext (P1,C1), (P2,C2),…, where some Pi’s and some Cj’s are chosen by the attacker Network Security

  13. Security types • Unconditionally(information-theoretically)secure • No matter how much resources (time, space, ciphertext) is given, the attacker cannot uniquely determine the key or the plaintext of the challenge ciphertext • Computationally secure • The attacker cannot get the key or the ciphertext of the challenge ciphertext using limited resources Network Security

  14. How large is large ? Network Security

  15. Scale magnitude Network Security

  16. One-time pad: cryptosystem • Key space: m-bit strings • Plaintext space: m-bit strings • Ciphertext space: m-bit strings • Encryption: C=E(K,P)=P⊕K • Decryption: P=D(K,C)=C⊕K • C⊕K=P⊕K⊕K=P • KEY IS USED ONLY ONCE • Key length = message length Network Security

  17. One-time pad: security • Key must be chosen randomly and used only once • Unconditionally (totally) secure • Given a fixed ciphertext C, for every plaintext P, there is a key K=P⊕C • Therefore, there is no way that the attacker knows the exact key K. • Impractical in most cases since plaintext length is equal to key length Network Security

  18. Multi-stage cipher E1 E2 Em-1 Em … P C K1 K2 Km-1 Km Dm Dm-1 D2 D1 … C P Km Km-1 K2 K1 Encryption Decryption Network Security

  19. Multi-stage cipher (cont.) • Each sub-cipher • Simple • Very fast • Not so secure (but, easy to analyze) • Concatenated ciphers • Simple • Fast (but, m times slower than sub-cipher) • More secure • Tradeoff: security vs. speed • More sub-ciphers  more secure  slower • Less sub-ciphers  less secure  faster Network Security

  20. AES • Advanced Encryption Standard • Motivation: to replace DES • NIST called for proposal, Jan 2, 1997, with selection criteria • Security • Computational efficiency • Memory requirement • Hardware and software suitability • Simplicity • Flexibility • Licensing requirements Network Security

  21. AES (cont.) • NIST, Oct 2, 2000, announced • The AES algorithm is Rijndael • Rijndael • Joan Daemen & Vincent Rijmen (Belgium) • Key size: 128, 192, 256 • Block size: 128, 192, 256 • Round: flexible Network Security

  22. Mathematical background • Byte-level operations • Each byte consists of 8 bits (over the field GF(28)) • Example: (57)160x7+x6+0x5+x4+0x3+x2+x+1 • Addition (bitwise XOR) • Example: 57+83=D4 • (x6+x4+x2+x+1)+(x7+x+1)=x7+x6+x4+x2 • Multiplication (mod m(x)) • m(x)=x8+x4+x3+x+1 or (11B)16 : irreducible polynomial • Example: 5783 (mod m(x))=C1 • (x6+x4+x2+x+1)(x7+x+1) mod m(x)= x13+x11+x9+x8+x6+x5+x4+x3+1 mod m(x)= x7+x6+1 Network Security

  23. Mathematical background (cont.) • Word-level operations • Each word consists of 4 bytes • Bytes are operated over GF(28) • a(x)=a3y3+a2y2+a1y+a0, where ai over GF(28) • b(x)=b3y3+b2y2+b1y+b0, where bi over GF(28) • Definition: a(y)b(y)=a(y)b(y) mod y4+1 Network Security

  24. Mathematical background (cont.) • d(y) = a(y)  b(y) = d3y3+d2y2+d1y+d0 • d0 = a0· b0 +a3 · b1 +a2· b2 +a1·b3 • d1 = a1· b0 +a0 · b1 + a3· b2 + a2· b3 • d2 = a2· b0 +a1 · b1 + a0· b2 + a3· b3 • d3 = a3· b0 +a2 · b1 + a1· b2 + a0· b3 Byte-level operation Network Security

  25. Rijndael Linear mixing layer Xi Xi+1 Non-linear layer Key addition layer • Iterated block cipher • Variable block length: 128, 192, 256 • Variable key length: 128, 192, 256 • Design techniques • Whitening: original plaintext+the first sub-key • Wide trail strategy Network Security

  26. Plaintext Nb • State: an intermediate cipher result • PlaintextState bytes array: 4*Nb • 16 bytes • 24 bytes • 32 bytes • Each Nb presents 32 bits Network Security

  27. Cipher key Nk • KeyKey bytes array: 4*Nk • 16 bytes • 24 bytes • 32 bytes • Each Nk represents 32 bits Network Security

  28. Rounds Network Security

  29. Specification • Main steps • An initial round-key addition • Nr-1 rounds • A final round • Pseudo C code Rijndael(State, CipherKey) { KeyExpansion(CipherKey, ExpandedKey) ; AddRoundKey(State, ExpandedKey); For( i=1; i<Nr; i++ ) Round(State, ExpandedKey + Nb*i) ; FinalRound(State, ExpandedKey + Nb*Nr); } Network Security

  30. Specification (cont.) • Round(State, RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State, RoundKey); } • FinalRound(State, RoundKey) { ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State, RoundKey); } Network Security

  31. Key schedule • CipherKey is expanded to Nr+1 sub-keys • Each sub-key is Nb*32-bit long • the block size • The first sub-key is for initial whitening • The middle Nr-1 sub-keys are for Nr-1 rounds • The last sub-key is for the final round Network Security

  32. Key expansion Computed from previous 4 words 1st 32 bits 2nd 32 bits … … Network Security

  33. Key expansion (cont.) Filled with cipher key  Compute next Nk words Network Security

  34. ByteSub(State) • High Non-linear • Invertible S-box • One single S-box Network Security

  35. ByteSub(State) (cont.) • S-box • 8 bits  8 bits (byte-level operation) • Invertible • a(x)  b(x)=a-1(x) mod m(x)=x8+x4+x3+x+1 • Computed by extended Euclidean algorithm to find b(x) and c(x) such that b(x)a(x)+c(x)m(x)=1 • Note: ’00’ ’00’ • b(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0 Network Security

  36. ByteSub(State) (cont.) • d(x)=d7x7+d6x6+d5x5+d4x4+d3x3+d2x2+d1x+d0 • S(a(x))=d(x) Network Security

  37. ShiftRow(State) Network Security

  38. MixColumn(State) • c(y) = ‘03’ y3+‘01’ y2+‘01’ y+‘02’ • High intra-column diffusion • Interaction with ShiftRow • High diffusion over multiple rounds C(y) Network Security

  39. AddRoundKey(State, ExpandedKey) Network Security

  40. Decryption • Every step is “invertible”, but sub-keys are used in reverse order • InvRound(State, RoundKey){ AddRoundKey(State, RoundKey}; InvMixColumn(State); InvShiftRow(State); InvByteSub(State); } • InvMixColumn, c(y) is replaced by d(y)=c(y)-1 mod y4+1 =’03’ y3 + ’01’ y2 + ’01’ y + ’02’ Network Security

  41. Motivation • Solve two difficult problems of secret-key cryptosystems • Problem I: Key distribution • Goal: need no key establishment between two users and no key distribution center, which knows the secret keys of users • Problem II: Digital signature (universal authentication) • Goal: wide spread commercial use Network Security

  42. Public-Key Encryption: RSAPrinciplesRSA algorithmDH key exchange Network Security

  43. Public-key system • Two related keys (a key pair) • Public key KU– publicly known by every one • Private key KR – known only by the owner only • Security requirement • Computationally infeasible to determine the decryption key from the encryption key Network Security

  44. Types of public-key systems • Public-key encryption • Every one can send messages to every one securely • For secrecy (privacy) of messages • Each user possesses only a pair of keys • Digital signature • Emulate the social signature • For authentication of messages/users • Every one can check validity of a signature, signed by some user • Key exchange • Two distant users establish a session key over an insecure channel Network Security

  45. Network Security

  46. Public-key encryption • Key generation: each (end) user X generates a pair of keys (KUX, KRX) • User X keeps secret his decryption key KRX • User X publishes his encryption key KUX in public directory • When a user Y wishes to send message M to X, it encrypts M with X’s public key KUX as C=E(KUX, M).NOTE: every one can encrypt messages • When X received the ciphertext C, it uses KRX to compute the plaintext M=D(KUX, C) Network Security

  47. Public-key encryption (cont.) • Key generation algorithm (probabilistic): security parameter  a key pair • Encryption algorithm E: public key  plaintext  ciphertext • Decryption algorithm D: private key  ciphertext  plaintext • Equation: M=D(KRX, E(KUX, M)) Network Security

  48. Comparison Network Security

  49. RSA public-key system Key generation algorithm: Input: k; • Randomly generate two primes p and q of length k/2 bits; • Compute n=pq; (n is k-bit long) • Randomly select e, 2e(n)-1, withgcd(e, (n))=1; (Note: (n)=(p-1)(q-1)) • Compute d=e-1 mod (n); • KU=(e, n), KR=(d, n) (Note: (1) p, q are not needed any more; (2) e and d are symmetric, ie. e=d-1 mod n) Network Security

  50. RSA public-key system (cont.) Encryption algorithm E: Input: ((e,n), M); (0Mn-1) • Compute C=Me mod n; • Output(C). Decryption algorithm D: Input: ((d,n), C); (0Cn-1) • Compute M=Ce mod n; • Output(M). Network Security

More Related