750 likes | 1.08k Views
IE MS5710 Symmetric Ciphers. 22 January 20 13 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong. Cryptography. can characterize cryptographic system by: type of encryption operations used substitution transposition product
E N D
IEMS5710Symmetric Ciphers 22 January 2013 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong
Cryptography can characterize cryptographic system by: type of encryption operations used substitution transposition product number of keys used single-key or private (symmetric) two-key or public (asymmetric) way in which plaintext is processed block stream IEMS5710 - Lecture 2
The Need of Symmetric Ciphers • Confidentiality of data transmitted over the internet • Confidentiality of data (e.g. files) stored in “trusted storage” • E.g. DropBox • E.g. Google Drive • Principle: keep data encrypted until itis needed Trusted storage (trusted not to lose data) Your local system (trusted to be secure) Smart Card (temper resistant) IEMS5710 - Lecture 2
Examples of symmetric ciphers • Secure Socket Layer • Use public key for exchanging the session key • The session key is for symmetric ciphers • DES, RC2, RC4, IDEA and Triple DES SSL payload (ciphertext) IEMS5710 - Lecture 2
How Secure is Dropbox? • https://www.dropbox.com/help/27/en • “Your files are stored securely and backed-up.” • “Your account login is protected by many layers of security including password and two-step verification.” • “Other Dropbox users can't see your files in Dropbox unless you deliberately share links to files or share folders.” • “Dropbox employees are prohibited from viewing the content of files you store in your account…… Employees may access file metadata (e.g., file names and locations) when they have a legitimate reason…” IEMS5710 - Lecture 2
How Secure is Dropbox? • For our advanced users • Dropbox uses modern encryption methods to both transfer and store your data. • Secure Sockets Layer (SSL) and AES-256 bit encryption. • Dropbox website and client software are constantly being hardened to enhance security and protect against attacks. • Two-step verification is available for an extra layer of security at login. You can choose to receive security codes by text message or via any Time-Based One-Time Password (TOTP) apps • Public files are only viewable by people who have a link to the file(s). • Dropbox uses Amazon's Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon's data security from the S3 site or, read more about how Dropbox and Amazon securely stores data. IEMS5710 - Lecture 2
How Secure is DropBox? • how Dropbox and Amazon securely stores data • Amazon S3. • “Data stored within Amazon S3 is not encrypted at rest by AWS. However, users can encrypt their data before it is uploaded to Amazon S3 so that the data cannot be accessed or tampered with by unauthorized parties.” IEMS5710 - Lecture 2
How about Google Drive? • http://www.informationweek.com/security/privacy/google-drive-privacy-4-misunderstood-fac/232901076 • When people upload a file to the new Google Drive online file-storage service, who owns the file? • From Google’s Terms of Service • "When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations, or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display, and distribute such content." IEMS5710 - Lecture 2
EncFS (http://www.arg0.net/encfs) • Use SSL/AES • 1024 block size • Each file contains a unique IV (initial vector) data • A password is used to decrypt this key. IEMS5710 - Lecture 2
Examples of symmetric ciphers • E.g. EncFS encryption for dropbox files • http://isseykun.github.com/blog/2012/04/15/encrypt-dropbox-data-using-encfs-on-the-mac/ IEMS5710 - Lecture 2
Basic Terminology • plaintext - original message • ciphertext - coded message • cipher - algorithm for transforming plaintext to ciphertext • key - info used in cipher known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext • decipher (decrypt) - recovering ciphertext from plaintext • cryptography - study of encryption principles/methods • cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key • cryptology - field of both cryptography and cryptanalysis IEMS5710 - Lecture 2
Symmetric Cipher Model IEMS5710 - Lecture 2
Requirements two requirements for secure use of symmetric encryption: a strong encryption algorithm (E) and the corresponding decryption algorithm (D) a secret key (K) known only to sender / receiver mathematically have: ciphertext= E(K, plaintxt) plaintext= D(K, ciphertext) assume encryption algorithm is known Implies it is necessary for a secure channel to distribute key IEMS5710 - Lecture 2
History of Cryptography • Cryptography has roots that begin around 2000 B.C. in Egypt • Ancient encryption technique also include the Caesar cipher • In twentieth century, cryptography played a crucial military role in the outcome of both world wars. (E.g. the Enigma machine) • Cryptography was also used asa tool to protect national secrets and strategies, and was subject to export control • The proliferation of computers and communications systems in the 1960s brought withit a demand from the private sector for means to protect information in digital form and toprovide security services. E.g. • Feistel cipher at IBMin the early 1970s • The adoption of DES (the Data Encryption Standard) by the U.S. Federal Information Processing Standard for encryption • Public key encryption scheme only appears in 1970s IEMS5710 - Lecture 2
Enigma Machine • An electro-mechanical rotor machine for generating ciphers and for the encryption and decryption of secret messages • refer to http://en.wikipedia.org/wiki/Enigma_machine IEMS5710 - Lecture 2
Historical Ciphers • Substitution Ciphers • Developed in ancient Egypt as series of disordered hieroglyphics • The original message, or plaintext, was encoded using a substitution cipher. Each letter (or picture, in this case) of the plaintext was simply replaced by another letter of the alphabet, resulting in the encoded message, or ciphertext • E.g. THIS IS A MESSAGE become GAWE WE F KOEEFBO IEMS5710 - Lecture 2
Historical Ciphers • Caesar cipher • Said to be used by Julius Caesar to communicate with his army • Caesar is considered to be one of the first persons to have ever employed encryption for the sake of securing messages • Using the Caesar Shift (3 to the right), the message, "RETURN TO ROME" would be encrypted as, "UHWXUA WR URPH“ • Here, “3” is the encryption key, as well as the decryption key • Caesar cipher is a symmetric cryptosystem • Can you break the follow Caesar cipher? • “MABL BL T LXVKXM” • What techniques have you used in breaking it? IEMS5710 - Lecture 2
Historical Ciphers • Caesar cipher • Said to be used by Julius Caesar to communicate with his army • Caesar is considered to be one of the first persons to have ever employed encryption for the sake of securing messages • Using the Caesar Shift (3 to the right), the message, "RETURN TO ROME" would be encrypted as, "UHWXUA WR URPH“ • Here, “3” is the encryption key, as well as the decryption key • Caesar cipher is a symmetric cryptosystem • Can you break the follow Caesar cipher? • “MABL BL T LXVKXM” • What techniques have you used in breaking it? IEMS5710 - Lecture 2
Cryptanalysis objective to recover key not just message general approaches: cryptanalytic attack brute-force attack if either succeed all key use compromised IEMS5710 - Lecture 2
Cryptanalytic Attacks Ciphertext only encryption algorithm and ciphertext are known to the cryptanalyst. Known plaintext attack knows: encryption algorithm, ciphertext, and oneor more plaintext-ciphertext pairs formed with the secret key. Chosen plaintext attack (CPA) knows: encryption algorithm, ciphertext, andchosen plaintext and its corresponding ciphertext generated with the secret key. Chosen ciphertext attack (CCA) knows: encryption algorithm, ciphertext, andchosen ciphertext and its corresponding decrypted plaintext with the secret key. Chosen text attack Knows all information known in both CPA and CCA IEMS5710 - Lecture 2
Historical Ciphers • Breaking the Caesar cipher • Possible ways: • Try every 26 possible shifts (brute force) • Makes use of statistical data about English letter frequencies • It is known that in a text of 1000 letters of various English alphabet occur with about the following relative frequencies: • Use some frequently appear patterns, e.g. “THIS” “THIS IS” “A” “AN” “THE” IEMS5710 - Lecture 2
English Letter Frequencies IEMS5710 - Lecture 2
Historical Ciphers • Vigenere Cipher (France, the 16th century) • A 2-dimensional Caesar cipher table • uses this table together with a keyword to encrypt a message • E.g. encrypt “TO BE OR NOT TO BE THAT IS THE QUESTION”with “RELATIONSHIP” Keyword: RELATIONSR ELATI ONSRE LATIO NSREL Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY R and T gives K IEMS5710 - Lecture 2
Historical Ciphers The Cryptex in The Da Vinci Code IEMS5710 - Lecture 2
Block vs Stream Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process messages a bit or byte at a time when en/decrypting many current ciphers are block ciphers IEMS5710 - Lecture 2
Block vs Stream Ciphers Stream Cipher Block Cipher IEMS5710 - Lecture 2
Ideal Block Cipher 4 input bit, 24 = 16 possible combinations IEMS5710 - Lecture 2
Confusion and Diffusion cipher needs to completely obscure statistical properties of original message Shannon’s S-P net concept: Use substitution and permutation to obtain: diffusion – dissipates statistical structure of plaintext over bulk of ciphertext confusion – makes relationship between ciphertext and key as complex as possible To provide confusion & diffusion of message & key IEMS5710 - Lecture 2
Feistel Cipher Structure Horst Feistel devised the feistel cipher partitions input block into two halves process through multiple rounds which perform a substitution on left data half based on round function of right half & subkey then have permutation swapping halves implements Shannon’s S-P net concept IEMS5710 - Lecture 2
Feistel Cipher Structure Decryption Encryption IEMS5710 - Lecture 2
Data Encryption Standard (DES) Submitted by IBM Early version invented by team led by Feistel in late 60’s most widely used block cipher in world adopted in 1977 by NBS (now NIST) as FIPS PUB 46 encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security subsequent events and public analysis show in fact design was appropriate use of DES has flourished, especially in financial applications still standardised for legacy application use IEMS5710 - Lecture 2
DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as: Li= Ri–1 Ri= Li–1 F(Ri–1, Ki) F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using perm E adds to subkey using XOR passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P IEMS5710 - Lecture 2
DES Encryption Overview IEMS5710 - Lecture 2
DES Example IEMS5710 - Lecture 2
Attacks to DES – Analytic Attacks brute force search looks hard, but recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! Now also have several analytic attacks on DES these utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest generally these are statistical attacks differential cryptanalysis - differential cryptanalysis compares two related pairs of encryptions linear cryptanalysis - using a large number of trial encryptions to get linear equation for key bits related key attacks IEMS5710 - Lecture 2
Attacks to DES– Timing Attacks attacks actual implementation of cipher use knowledge of consequences of implementation to derive information about some/all subkey bits specifically use fact that calculations can take varying times depending on the value of the inputs to it particularly problematic on smartcards IEMS5710 - Lecture 2
AES - Origins Advanced Encryption Standard (AES) clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks can use Triple-DES (do DES for three times) – but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001 IEMS5710 - Lecture 2
The AES Cipher - Rijndael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round key is expanded to array of words designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity IEMS5710 - Lecture 2
AES Encryption Process IEMS5710 - Lecture 2
AES Structure IEMS5710 - Lecture 2
AES Round IEMS5710 - Lecture 2
AES Decryption IEMS5710 - Lecture 2
AES – ImplementationAspects can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables efficient implementation was a key factor in its selection as the AES cipher IEMS5710 - Lecture 2
Modes of Operation block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts of data in practise NIST SP 800-38A defines 5 modes have block and stream modes to cover a wide variety of applications can be used with any block cipher IEMS5710 - Lecture 2
Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks Ci = EK(Pi) uses: secure transmission of single values IEMS5710 - Lecture 2
Electronic Codebook Book (ECB) IEMS5710 - Lecture 2
Advantages and Limitations of ECB message repetitions may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data IEMS5710 - Lecture 2
Cipher Block Chaining (CBC) message is broken into blocks linked together in encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process Ci = EK(Pi XOR Ci-1) C-1 = IV uses: bulk data encryption, authentication IEMS5710 - Lecture 2
Cipher Block Chaining (CBC) IEMS5710 - Lecture 2
Message Padding at end of message must handle a possible last short block which is not as large as blocksize of cipher pad either with known non-data value (eg nulls) or pad last block along with count of pad size eg. [ b1 b2 b3 0 0 0 0 5] means have 3 data bytes, then 5 bytes pad+count this may require an extra entire block over those in message there are other, more esoteric modes, which avoid the need for an extra block IEMS5710 - Lecture 2