1 / 36

Symmetric Key Crypto

Symmetric Key Crypto. Alfred C. Weaver Tom Horton CS453 Electronic Commerce. Readings: Chapter 13 of our textbook Web resources Weaver’s References Bruce Schneier, “Applied Cryptography,” John Wiley & Sons Andrew Tanenbaum, “Computer Networks,” Prentice-Hall

shamus
Download Presentation

Symmetric Key Crypto

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symmetric Key Crypto Alfred C. WeaverTom Horton CS453 Electronic Commerce

  2. Readings: • Chapter 13 of our textbook • Web resources • Weaver’s References • Bruce Schneier, “Applied Cryptography,” John Wiley & Sons • Andrew Tanenbaum, “Computer Networks,” Prentice-Hall • Jim Kurose and Keith Ross, “Computer Networking,” Addison-Wesley

  3. Original Plaintext Ciphertext Plaintext Encryption Decryption Encryption Key Decryption Key Symmetric Key Encryption

  4. How do you break this strategy? What’s the risk? Odd question for the moment: Is this the strategy we want for encrypting passwords for authentication? Evaluating SKC

  5. Question 1: How do you break this strategy? What’s the risk? Answer: Attack the key! Can you guess it? Find it? Question 2: Is this the strategy we want for encrypting passwords for authentication? Answer: No. Use a one-way hash to convert plain-text to cipher-text. Store cipher-text on system. At authentication, hash what the user types and compare two cipher-texts for match. How to attack? Same as above. Answers

  6. What are some major (historical) SKC algorithms? DES, Triple-DES, IDEA, RC4, AES How do they work? (Hmm.) Where do they stand? How do they fit into larger systems? Topics

  7. Data Encryption Standard • Government requested white papers on proposed cryptographic standard in early 1970s • IBM responded with a clever design • NSA approved (and changed) the design • NBS (now NIST) certified the design in 1976 as Data Encryption Standard (DES) • Recertified in 1987 and 1993 • World’s most commonly used algorithm

  8. DES • Iterated block cipher with 56-bit key (although 64 are specified, 8 are parity) • Iterated • multiple repetitions of basic algorithm • DES uses 16 rounds • Block cipher • encrypts fixed-size data groups • DES uses 8-byte (64-bit) blocks • data divided into 64-bit chunks • Key space • 256 keys ~= 72 x 1015 possible keys

  9. DES • Uses a combination of confusion and diffusion • every bit of the key (56 bits) and every bit of the plaintext (64 bits) affects every bit of the ciphertext (64 bits) • key is shifted and massaged each round to produce a subkey • plaintext is permuted, shifted, selected, and massaged against a permuted, shifted, and selected subkey 16 times • each 64-bit plaintext produces a 64-bit ciphertext

  10. DES Plaintext Permutation L0 R0 + K1 one round f L1 = R0 R1 = L0  f (R0,K1) ….. L16 = R15 R16 = L15  f (R15,K16) Permutation Ciphertext

  11. DES • 1. Plaintext enters as 64-bit block • 2. Bits are permuted and divided into left-hand side (L0) and right-hand side (R0) • 3. Repeat 16 rounds of encryption: • (a) Key from previous round is divided into two 28-bit halves • (b) Each half of key is shifted and subjected to a compression permutation that selects 48 of the 56 bits for propagation into the next round

  12. DES • (c) Right-hand side Rifrom previous round subjected to expansion permutation that increases 32 bits into 48 bits by selective repetition of certain bits • (d) Expanded, permuted right-hand side Riis exclusive-ORed with shifted, compressed key • (e) Result goes through substitution box that moves the bits around and expands 32 bits into 48 bits temporarily

  13. DES • (f) Temporary result goes through a permutation box that moves bits around and reduces 48 bits to 32 bits • (g) Left-hand side is exclusive-ORed with output of permutation box to produce a new right-hand side • (h) New left-hand side is copied from right-hand side of previous round

  14. DES • At the end of 16 rounds • 64-bit result permuted once more • Final 64-bit ciphertext emitted • Note: no security due to secrecy—the algorithm has been published and studied extensively since 1975 • All the security is in the key

  15. DES Decryption • Use the ciphertext as the plaintext • Use same initial key • Run the algorithm backwards through 16 rounds, using subkeys in reverse order K16, K15, …, K1 • DES outputs the plaintext • Many companies now offer DES on a chip so it runs at wire speed

  16. DES Implementation • Java implementation of DES available at http://intercom.virginia.edu/crypto/crypto.html

  17. A Brief IBM / NSA History • IBM needed crypto for ATM • Idea began as Lucifer with 128-bit key • IBM needed an export license • NSA agreed to vet the algorithm • NSA probably changed the S-boxes • NSA told IBM to reduce the key size • IBM agreed to 64 bits • Production reduced it to 56 bits plus parity • IBM got its export license

  18. Security of DES • DES started in 1976 • It was secure then – but not now • Jan. 1997: RSA Data Security issued a cryptographic challenge • Research project DESCHALL used distributed computing (14,000 unique computers over 3 months) to crack DES with 56-bit key • http://www.interhack.net/projects/deschall/ • At its peak, DESCHALL was testing 7 billion keys/second

  19. Security of DES • July 1998: DES Challenge II • Electronic Frontier Foundation (EFF) built a DES code-cracker for $250k • Cracked DES in 3 days • Jan. 1999: DES Challenge III • Distributed.Net used EFF DES cracker plus 100,000 PCs on the Internet to crack DES in 22 hours 15 min. • Testing 245 billion keys/sec when key was found

  20. Security of DES • Reported in late 90s that DES could be cracked “in a few hours” (presumably by NSA) • Reasonable to assume that DES can now be cracked very quickly with special hardware and/or a distributed approach

  21. Weak Keys • Some 56-bit keys are known to be weak • 0000000 0000000 • 0000000 FFFFFFF • FFFFFFF 0000000 • FFFFFFF FFFFFFF • Repeating bits do not “stir” well when shifted • Also some “possibly weak” keys, but these are identified in the literature so don’t use them

  22. Triple-DES • Triple-DES invented to boost security • Uses three separate encryption and decryption cycles with two or three unique keys • Two unique keys gives 2x56=112 bit protection • Three unique keys gives 3x56=168 bit protection

  23. Triple-DES DES-1 DES DES Plaintext Key-3 Key-1 Key-2 Ciphertext DES-1 DES DES-1

  24. Triple-DES with Three Unique Keys • Sender: • Encrypt with Key-1 • Decrypt with Key-2 (decryption has same scrambling power as encryption) • Encrypt with Key-3 • Receiver: • Decrypt with Key-3 • Encrypt with Key-2 • Decrypt with Key-1 • Power: 56x3=168 bit key

  25. Triple-DES with Two Unique Keys • Sender: • Encrypt with Key-1 • Decrypt with Key-2 • Encrypt with Key-1 again • Receiver: • Decrypt with Key-1 • Encrypt with Key-2 • Decrypt with Key-1 • Power: 56x2=112 bit key

  26. Triple-DES with One Unique Key • Sender: • Encrypt with Key-1 • Decrypt with Key-1 • Encrypt with Key-1 • Receiver: • Decrypt with Key-1 • Encrypt with Key-1 • Decrypt with Key-1 • Power: 56 bit key (exactly equal to DES)

  27. Triple-DES • Why use three unique keys instead of one? • that’s easy! • power of 168-bit key vs. 56-bit key • many, many, many orders of magnitude harder to crack than DES • Why use two keys instead of one? • power of 112-bit key vs. 56-bit key • many orders of magnitude harder to crack than DES • two keys (112 bits) easier to manage than three (doubtful) • 112-bit key is fairly secure today • Why use one key instead of two or three? • setting key1=key2=key3 makes 3DES interoperate with DES • of course the power is just one 56-bit key • only use would be for backward compatibility

  28. Security of DES and Triple-DES • Is DES suitable for commercial transactions? • today the answer is no • nevertheless it is in daily, wide-spread use • Triple-DES very robust, very well suited to commercial activities

  29. IDEA • International Data Encryption Algorithm • proposed 1992 • symmetric-key, 128 bits • 64-bit blocks • similar in design, but different in detail, from DES

  30. IDEA • Design philosophy is “mixing operations from three algebraic groups” • XOR • Addition modulo 216 • Multiplication modulo 216 + 1 (substitutes for DES S-box) • About twice as fast as DES • Used in PGP • Very strong symmetric key encryption algorithm

  31. AES • NIST held a competition to replace DES • Five serious entries, including 3DES • Winner was Rijndael (pronounced “Rhine-doll”) from two co-inventors in Belgium • AES is a 128-, 192-, or 256-bit block cipher • Uses 128, 192, or 256 bit symmetric keys • AES uses an affine transformation with a non-linear substitution box

  32. AES • 3.4 x 1038 128-bit keys • 6.2 x 1057 192-bit keys • 1.1 x 1077 256-bit keys • Compare those to DES’s 56-bit key with 7.2 x 1016 keys • Assume you could crack DES (i.e., full search of a 56-bit key space) in one second • Then cracking AES with a 128-bit key would take 149 trillion years • The universe is ~14 billion years old

  33. AES • AES is the way of the future • Threats: • backdoor? (probably not) • massive distributed computation • quantum computing • something we've not thought of

  34. Others • RC4 • Developed by Ron Rivest • Will pop up in discussions of RSA, SSL • Blowfish • Developed by Bruce Schneier • Free, fast • Variable length key

  35. Summary and What’s Next • A set of historical algorithms • Culminating in AES • DES illustrates some of the controversies and social issues inherent in cryptography • PGP too • Weakness • Keys must be shared • An alternative • Public Key Encryption, possibly combined with SKC

More Related