440 likes | 584 Views
Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system. Lexar Corporation, “An Evalution of the DES”, 1976. Lecture 6: Striving for Confusion. David Evans
E N D
Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system. Lexar Corporation, “An Evalution of the DES”, 1976. Lecture 6: Striving for Confusion David Evans http://www.cs.virginia.edu/evans CS588: Security and Privacy University of Virginia Computer Science
Menu • PS1 Question 4b • Will return PS1 Thursday • DES • Strengthening DES • Breaking DES University of Virginia CS 588
Permutation Cipher How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation chosen randomly from all possible permutations? University of Virginia CS 588
Key Space 1 2 3 4 5 6 7 8 Random Permutation • Perfect Cipher Keyspace Theorem: • Cannot transmit more than 8! different message securely 8! Keys University of Virginia CS 588
8! Messages Why couldn’t you also include IJKLMNOP? M = { ABCDEFGH, BACDEFGH, CABDEFGH, DABCEFGH, EABCDFGH, … } What if there were only 2 alphabet symbols? (Note: can transmit as many blocks as you want) Midterm Question University of Virginia CS 588
Feistel Cipher Recap Plaintext • Last time: • Decryption works, as long as the keys are used in reverse order • Can provide confusion and diffusion (because of permutation), but only if F is confusing R0 L0 K1 Substitution F Round Permutation L1 R1 University of Virginia CS 588
DES • NIST (then NBS) sought standard for data security (1973) • IBM’s Lucifer only reasonable proposal • Modified by NSA • Changed S-Boxes • Reduced key from 128 to 56 bits • Adopted as standard in 1976 • More bits have been encrypted using DES than any other cipher University of Virginia CS 588
DES Algorithm • Feistel cipher with added initial permutation • Complex choice of F • 16 rounds • 56-bit key, shifts and permutations produce 48-bit subkeys for each round University of Virginia CS 588
DES’s F 32 bits Expand and Permute (using E table) 48 bits Kn Substitute (using S boxes) 32 bits Permutation The goal is confusion! University of Virginia CS 588
S-Boxes 6 bits Example: 110011 S-Box 64 entry lookup table 1001 4 bits Critical to security NSA changed choice of S-Boxes Only non-linear step in DES E(11) E(01) + E(10) University of Virginia CS 588
DES Avalanche Input: ...............................................................* 1 Permuted: .......................................*........................ 1 Round 1: .......*........................................................ 1 Round 2: .*..*...*.....*........................*........................ 5 Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18 Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28 Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29 Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26 Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**. Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html University of Virginia CS 588
Key Schedule • Need 16 48-bit keys • Best security: just use 16 independent keys • 768 key bits • 56-bit key used (64 bits for parity checking) • Produce 48-bit round keys by shifting and permuting University of Virginia CS 588
DES Keys 56 bits Key Next round 28 bits 28 bits Ki = PC (Shift (Left (Ki-1)) || Shift (Right (Ki-1))) Shift (1 or 2 bits) Shift (1 or 2 bits) Compress/Permute Kn Are there any weak keys? University of Virginia CS 588
Is DES a perfect cipher? • No: more messages than keys • Even for 1 64-bit block 264 messages > 256 keys University of Virginia CS 588
Attacking DES: Brute Force • Key is 56 bits • 256 = 7.2 * 1016 = 72 quadrillion • Try 1 per second = 9 Billion years to search entire space • Distributed attacks • Steal/borrow idle cycles on networked PCs • Search half of key space with 100000 PCs * 1M keys/second in 25 days University of Virginia CS 588
Brute Force Attacks • RSA DES challenges: • 1997: 96 days (using 70,000 machines) • Feb 1998: 41 days (distributed.net) University of Virginia CS 588
Multiple Encryption University of Virginia CS 588
Multiple Encryption • C = EK2 (EK1 (P)) • Does it double the key space? • Monoalphabetic cipher Ci = K2[K1[Pi]] = K3[Pi] for some K3 University of Virginia CS 588
Double-Vigenère C = EK2 (EK1 (P)) Vigenère: Ci = (Pi + Ki mod N) mod Z Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z = (Pi + K1i mod N1 + K2i mod N2 ) mod Z if N1 = N2: = (Pi + K3i mod N) mod Z (K3 = K1 + K2) what if N1 N2? University of Virginia CS 588
Double-Vigenère • K1 = "BOND" • K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND + JAMESJAMESJAMESJAMESJAMESJAM = KOZHTXNPFGWDNSFMBARVKOZHTXNP • Effective key length: LCM (N1, N2) = 20 University of Virginia CS 588
Double DES • C = EK2 (EK1 (P)) • Is there a K3 such that C =EK3 (P)? • There are 256 keys, and 264! mappings • If DES is good, keys map randomly to mappings. • Probability that a randomly chosen mapping corresponds to a DES key: 256 / 264! << 1 / 263! • Effective key size of Double DES? = 256 * 256 = 2112 WRONG! University of Virginia CS 588
try all possible keys try all possible keys YK1 XK1 C D P E YK2 XK2 YK256 XK256 Known Plaintext Attack K1 K2 C P E E One XKi= YKj means K1 = Ki and K2 = Kj University of Virginia CS 588
Meet-in-the-Middle Attack • C = EK2 (EK1 (P)) • X = EK1 (P) = DK2 (C) • Brute force attack (given one P/C pair): calculate EK1 (P) for all keys (256 work) calculate DK2 (C) for all keys (256 work) the match gives the keys • Total work = 2 * 256 = 257 University of Virginia CS 588
Hmmm…maybe thrice? University of Virginia CS 588
2-Key Triple DES • C = EK1 (DK2 (EK1 (P))) • Why DK2 not EK2? • Backwards compatibility with DES • If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P) • Actual key size = 56 + 56 bits = 112 bits • Meet-in-the-middle? • X = EK1 (P) = DK1 (EK2 (C)) 256 need to try 2112 University of Virginia CS 588
How secure is Triple-DES • Brute force search: 2112 keys • Best DES attack: 245 B keys/second • 6.7 * 1014 years (compared to 22 hours) • 1011 years = total lifetime of universe (closed universe theory) • Best known attack - reduces to 2120-log2n • n = number of known P-C pairs • n = 264, work is 256 Realistic? University of Virginia CS 588
3-Key Triple DES • C = EK3 (DK2 (EK1 (P))) • H(K) = 168 • Used by PGP, S/MIME • How much work to brute-force? • Meet-in-the-middle: X = DK3 (C) = DK2 (EK1 (P)) 256 + 2112 University of Virginia CS 588
Cracking DES (1998) 90B keys per second Cost < $250K (in 1998) 56 hours to solve RSA DES Challenge University of Virginia CS 588
Cracking DES (2001) • Mike Bond, Richard Clayton (University of Cambridge PhD Students) • IBM 4578 “Cryptoprocessor” (used in banking security – generates PINs from account numbers) • $995 for custom FPGA • 20 hours to extract key • Meet-in-the-middle attack (we’ll discuss this next class) University of Virginia CS 588
Cracking DES (2005) Girish Ratanpal University of Virginia CS 588
POWER ANALYSIS ATTACKS Girish Ratanpal Electrical & Computer Engineering UVA
The Problem • Mathematically secure Cryptographic algorithms. • Implementations leak out information. • Side-channels • Execution time • Power consumption • Radio frequencies • Electric/magnetic fields University of Virginia CS 588
The Power consumption side-channel • Correlation between operation and power consumed. • E.g. MOV 0 v/s MOV FF • Correlation between power consumed and bit transitions at the output of gates. • E.g. 01 v/s 10 University of Virginia CS 588
DPA attack on DES • Guess the 6-bit sub-key of K16 • Determine Ci, L15[0] • Determine selection function D(Ci, b, K16) University of Virginia CS 588
DES attack contd. • Collect power traces with k time samples for m cipher-texts. • Divide the traces into two sets T0 and T1 using the selection function. • Compute the average. • -this is the DPA trace University of Virginia CS 588
S[k] with Correct Guess University of Virginia CS 588
S[k] with Incorrect Guess University of Virginia CS 588
Subkey for SBOX-5 University of Virginia CS 588
Existing Countermeasures • Noise Insertion: Directly reduces SNR of S[k]. • Temporal De-synchronization • Randomly varying clock • Dummy instructions • Randomized instruction stream • Algorithmic Countermeasure • Intermediate results masking • Supply Current Shielding • Off-chip capacitors University of Virginia CS 588
Existing Countermeasures • Algorithmic & Temporal De-synchronization – affect implementation • Need for a solution that • Puts minimal constraints on hardware implementation • Can be integrated on-chip University of Virginia CS 588
Suppression circuit • Voltage sensed by Rsense • Current feedback to keep voltage constant. • Cfilter for high frequency components. University of Virginia CS 588
Result of Suppression University of Virginia CS 588
DPA on Protected Device University of Virginia CS 588
Charge • Deadline for project proposals delayed until Feb 17 • Start using the forum to find project teams • PS2 out today, due next Tuesday • Read the attached paper before Thursday’s class • We’ll talk about it Thursday University of Virginia CS 588