360 likes | 368 Views
Symmetric Key Crypto. Alfred C. Weaver Tom Horton CS453 Electronic Commerce. Readings: Chapter 13 of Treese and Stewart textbook Web resources Weaver’s References Bruce Schneier, “Applied Cryptography,” John Wiley & Sons Andrew Tanenbaum, “Computer Networks,” Prentice-Hall
E N D
Symmetric Key Crypto Alfred C. WeaverTom Horton CS453 Electronic Commerce
Readings: • Chapter 13 of Treese and Stewart textbook • Web resources • Weaver’s References • Bruce Schneier, “Applied Cryptography,” John Wiley & Sons • Andrew Tanenbaum, “Computer Networks,” Prentice-Hall • Jim Kurose and Keith Ross, “Computer Networking,” Addison-Wesley
Original Plaintext Ciphertext Plaintext Encryption Decryption Encryption Key Decryption Key Symmetric Key Encryption
How do you break this strategy? What’s the risk? Odd question for the moment: Is this the strategy we want for encrypting passwords for authentication? Evaluating SKC
Question 1: How do you break this strategy? What’s the risk? Answer: Attack the key! Can you guess it? Find it? Question 2: Is this the strategy we want for encrypting passwords for authentication? Answer: No. Use a one-way hash to convert plain-text to cipher-text. Store cipher-text on system. At authentication, hash what the user types and compare two cipher-texts for match. How to attack? Same as above. Answers
What are some major (historical) SKC algorithms? DES, Triple-DES, IDEA, RC4, AES How do they work? (Hmm.) Where do they stand? How do they fit into larger systems? Topics
Data Encryption Standard • Government requested white papers on proposed cryptographic standard in early 1970s • IBM responded with a clever design • NSA approved (and changed) the design • NBS (now NIST) certified the design in 1976 as Data Encryption Standard (DES) • Recertified in 1987 and 1993 • World’s most commonly used algorithm
DES • Iterated block cipher with 56-bit key (although 64 are specified, 8 are parity) • Iterated • multiple repetitions of basic algorithm • DES uses 16 rounds • Block cipher • encrypts fixed-size data groups • DES uses 8-byte (64-bit) blocks • data divided into 64-bit chunks • Key space • 256 keys ~= 72 x 1015 possible keys
DES • Uses a combination of confusion and diffusion • every bit of the key (56 bits) and every bit of the plaintext (64 bits) affects every bit of the ciphertext (64 bits) • key is shifted and massaged each round to produce a subkey • plaintext is permuted, shifted, selected, and massaged against a permuted, shifted, and selected subkey 16 times • each 64-bit plaintext produces a 64-bit ciphertext
DES Plaintext Permutation L0 R0 + K1 one round f L1 = R0 R1 = L0 f (R0,K1) ….. L16 = R15 R16 = L15 f (R15,K16) Permutation Ciphertext
DES • 1. Plaintext enters as 64-bit block • 2. Bits are permuted and divided into left-hand side (L0) and right-hand side (R0) • 3. Repeat 16 rounds of encryption: • (a) Key from previous round is divided into two 28-bit halves • (b) Each half of key is shifted and subjected to a compression permutation that selects 48 of the 56 bits for propagation into the next round
DES • (c) Right-hand side Rifrom previous round subjected to expansion permutation that increases 32 bits into 48 bits by selective repetition of certain bits • (d) Expanded, permuted right-hand side Riis exclusive-ORed with shifted, compressed key • (e) Result goes through substitution box that moves the bits around and expands 32 bits into 48 bits temporarily
DES • (f) Temporary result goes through a permutation box that moves bits around and reduces 48 bits to 32 bits • (g) Left-hand side is exclusive-ORed with output of permutation box to produce a new right-hand side • (h) New left-hand side is copied from right-hand side of previous round
DES • At the end of 16 rounds • 64-bit result permuted once more • Final 64-bit ciphertext emitted • Note: no security due to secrecy—the algorithm has been published and studied extensively since 1975 • All the security is in the key
DES Decryption • Use the ciphertext as the plaintext • Use same initial key • Run the algorithm backwards through 16 rounds, using subkeys in reverse order K16, K15, …, K1 • DES outputs the plaintext • Many companies now offer DES on a chip so it runs at wire speed
DES Implementation • Java implementation of DES available at http://intercom.virginia.edu/crypto/crypto.html
A Brief IBM / NSA History • IBM needed crypto for ATM • Idea began as Lucifer with 128-bit key • IBM needed an export license • NSA agreed to vet the algorithm • NSA probably changed the S-boxes • NSA told IBM to reduce the key size • IBM agreed to 64 bits • Production reduced it to 56 bits plus parity • IBM got its export license
Security of DES • DES started in 1976 • It was secure then – but not now • Jan. 1997: RSA Data Security issued a cryptographic challenge • Research project DESCHALL used distributed computing (14,000 unique computers over 3 months) to crack DES with 56-bit key • http://www.interhack.net/projects/deschall/ • At its peak, DESCHALL was testing 7 billion keys/second
Security of DES • July 1998: DES Challenge II • Electronic Frontier Foundation (EFF) built a DES code-cracker for $250k • Cracked DES in 3 days • Jan. 1999: DES Challenge III • Distributed.Net used EFF DES cracker plus 100,000 PCs on the Internet to crack DES in 22 hours 15 min. • Testing 245 billion keys/sec when key was found
Security of DES • Reported in late 90s that DES could be cracked “in a few hours” (presumably by NSA) • Reasonable to assume that DES can now be cracked very quickly with special hardware and/or a distributed approach
Weak Keys • Some 56-bit keys are known to be weak • 0000000 0000000 • 0000000 FFFFFFF • FFFFFFF 0000000 • FFFFFFF FFFFFFF • Repeating bits do not “stir” well when shifted • Also some “possibly weak” keys, but these are identified in the literature so don’t use them
Triple-DES • Triple-DES invented to boost security • Uses three separate encryption and decryption cycles with two or three unique keys • Two unique keys gives 2x56=112 bit protection • Three unique keys gives 3x56=168 bit protection
Triple-DES DES-1 DES DES Plaintext Key-3 Key-1 Key-2 Ciphertext DES-1 DES DES-1
Triple-DES with Three Unique Keys • Sender: • Encrypt with Key-1 • Decrypt with Key-2 (decryption has same scrambling power as encryption) • Encrypt with Key-3 • Receiver: • Decrypt with Key-3 • Encrypt with Key-2 • Decrypt with Key-1 • Power: 56x3=168 bit key
Triple-DES with Two Unique Keys • Sender: • Encrypt with Key-1 • Decrypt with Key-2 • Encrypt with Key-1 again • Receiver: • Decrypt with Key-1 • Encrypt with Key-2 • Decrypt with Key-1 • Power: 56x2=112 bit key
Triple-DES with One Unique Key • Sender: • Encrypt with Key-1 • Decrypt with Key-1 • Encrypt with Key-1 • Receiver: • Decrypt with Key-1 • Encrypt with Key-1 • Decrypt with Key-1 • Power: 56 bit key (exactly equal to DES)
Triple-DES • Why use three unique keys instead of one? • that’s easy! • power of 168-bit key vs. 56-bit key • many, many, many orders of magnitude harder to crack than DES • Why use two keys instead of one? • power of 112-bit key vs. 56-bit key • many orders of magnitude harder to crack than DES • two keys (112 bits) easier to manage than three (doubtful) • 112-bit key is fairly secure today • Why use one key instead of two or three? • setting key1=key2=key3 makes 3DES interoperate with DES • of course the power is just one 56-bit key • only use would be for backward compatibility
Security of DES and Triple-DES • Is DES suitable for commercial transactions? • today the answer is no • nevertheless it is in daily, wide-spread use • Triple-DES very robust, very well suited to commercial activities
IDEA • International Data Encryption Algorithm • proposed 1992 • symmetric-key, 128 bits • 64-bit blocks • similar in design, but different in detail, from DES
IDEA • Design philosophy is “mixing operations from three algebraic groups” • XOR • Addition modulo 216 • Multiplication modulo 216 + 1 (substitutes for DES S-box) • About twice as fast as DES • Used in PGP • Very strong symmetric key encryption algorithm
AES • NIST held a competition to replace DES • Five serious entries, including 3DES • Winner was Rijndael (pronounced “Rhine-doll”) from two co-inventors in Belgium • AES is a 128-, 192-, or 256-bit block cipher • Uses 128, 192, or 256 bit symmetric keys • AES uses an affine transformation with a non-linear substitution box
AES • 3.4 x 1038 128-bit keys • 6.2 x 1057 192-bit keys • 1.1 x 1077 256-bit keys • Compare those to DES’s 56-bit key with 7.2 x 1016 keys • Assume you could crack DES (i.e., full search of a 56-bit key space) in one second • Then cracking AES with a 128-bit key would take 149 trillion years • The universe is ~14 billion years old
AES • AES is the way of the future • Threats: • backdoor? (probably not) • massive distributed computation • quantum computing • something we've not thought of
Others • RC4 • Developed by Ron Rivest • Will pop up in discussions of RSA, SSL • Blowfish • Developed by Bruce Schneier • Free, fast • Variable length key
Summary and What’s Next • A set of historical algorithms • Culminating in AES • DES illustrates some of the controversies and social issues inherent in cryptography • PGP too • Weakness • Keys must be shared • An alternative • Public Key Encryption, possibly combined with SKC