1 / 44

David Evans cs.virginia/evans

Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system. Lexar Corporation, “An Evalution of the DES”, 1976. Lecture 6: Striving for Confusion. David Evans

Download Presentation

David Evans cs.virginia/evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system. Lexar Corporation, “An Evalution of the DES”, 1976. Lecture 6: Striving for Confusion David Evans http://www.cs.virginia.edu/evans CS588: Security and Privacy University of Virginia Computer Science

  2. Menu • PS1 Question 4b • Will return PS1 Thursday • DES • Strengthening DES • Breaking DES University of Virginia CS 588

  3. Permutation Cipher How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation chosen randomly from all possible permutations? University of Virginia CS 588

  4. Key Space 1 2 3 4 5 6 7 8 Random Permutation • Perfect Cipher Keyspace Theorem: • Cannot transmit more than 8! different message securely 8! Keys University of Virginia CS 588

  5. 8! Messages Why couldn’t you also include IJKLMNOP? M = { ABCDEFGH, BACDEFGH, CABDEFGH, DABCEFGH, EABCDFGH, … } What if there were only 2 alphabet symbols? (Note: can transmit as many blocks as you want) Midterm Question University of Virginia CS 588

  6. Feistel Cipher Recap Plaintext • Last time: • Decryption works, as long as the keys are used in reverse order • Can provide confusion and diffusion (because of permutation), but only if F is confusing R0 L0 K1  Substitution F Round Permutation L1 R1 University of Virginia CS 588

  7. DES • NIST (then NBS) sought standard for data security (1973) • IBM’s Lucifer only reasonable proposal • Modified by NSA • Changed S-Boxes • Reduced key from 128 to 56 bits • Adopted as standard in 1976 • More bits have been encrypted using DES than any other cipher University of Virginia CS 588

  8. DES Algorithm • Feistel cipher with added initial permutation • Complex choice of F • 16 rounds • 56-bit key, shifts and permutations produce 48-bit subkeys for each round University of Virginia CS 588

  9. DES’s F 32 bits Expand and Permute (using E table) 48 bits  Kn Substitute (using S boxes) 32 bits Permutation The goal is confusion! University of Virginia CS 588

  10. S-Boxes 6 bits Example: 110011 S-Box 64 entry lookup table 1001 4 bits Critical to security NSA changed choice of S-Boxes Only non-linear step in DES E(11)  E(01) + E(10) University of Virginia CS 588

  11. DES Avalanche Input: ...............................................................* 1 Permuted: .......................................*........................ 1 Round 1: .......*........................................................ 1 Round 2: .*..*...*.....*........................*........................ 5 Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18 Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28 Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29 Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26 Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**. Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html University of Virginia CS 588

  12. Key Schedule • Need 16 48-bit keys • Best security: just use 16 independent keys • 768 key bits • 56-bit key used (64 bits for parity checking) • Produce 48-bit round keys by shifting and permuting University of Virginia CS 588

  13. DES Keys 56 bits Key Next round 28 bits 28 bits Ki = PC (Shift (Left (Ki-1)) || Shift (Right (Ki-1))) Shift (1 or 2 bits) Shift (1 or 2 bits) Compress/Permute Kn Are there any weak keys? University of Virginia CS 588

  14. Is DES a perfect cipher? • No: more messages than keys • Even for 1 64-bit block 264 messages > 256 keys University of Virginia CS 588

  15. Attacking DES: Brute Force • Key is 56 bits • 256 = 7.2 * 1016 = 72 quadrillion • Try 1 per second = 9 Billion years to search entire space • Distributed attacks • Steal/borrow idle cycles on networked PCs • Search half of key space with 100000 PCs * 1M keys/second in 25 days University of Virginia CS 588

  16. Brute Force Attacks • RSA DES challenges: • 1997: 96 days (using 70,000 machines) • Feb 1998: 41 days (distributed.net) University of Virginia CS 588

  17. Multiple Encryption University of Virginia CS 588

  18. Multiple Encryption • C = EK2 (EK1 (P)) • Does it double the key space? • Monoalphabetic cipher Ci = K2[K1[Pi]] = K3[Pi] for some K3 University of Virginia CS 588

  19. Double-Vigenère C = EK2 (EK1 (P)) Vigenère: Ci = (Pi + Ki mod N) mod Z Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z = (Pi + K1i mod N1 + K2i mod N2 ) mod Z if N1 = N2: = (Pi + K3i mod N) mod Z (K3 = K1 + K2) what if N1  N2? University of Virginia CS 588

  20. Double-Vigenère • K1 = "BOND" • K2 = "JAMES" BONDBONDBONDBONDBONDBONDBOND + JAMESJAMESJAMESJAMESJAMESJAM = KOZHTXNPFGWDNSFMBARVKOZHTXNP • Effective key length: LCM (N1, N2) = 20 University of Virginia CS 588

  21. Double DES • C = EK2 (EK1 (P)) • Is there a K3 such that C =EK3 (P)? • There are 256 keys, and 264! mappings • If DES is good, keys map randomly to mappings. • Probability that a randomly chosen mapping corresponds to a DES key: 256 / 264! << 1 / 263! • Effective key size of Double DES? = 256 * 256 = 2112 WRONG! University of Virginia CS 588

  22. try all possible keys try all possible keys YK1 XK1 C D P E YK2 XK2 YK256 XK256 Known Plaintext Attack K1 K2 C P E E One XKi= YKj means K1 = Ki and K2 = Kj University of Virginia CS 588

  23. Meet-in-the-Middle Attack • C = EK2 (EK1 (P)) • X = EK1 (P) = DK2 (C) • Brute force attack (given one P/C pair): calculate EK1 (P) for all keys (256 work) calculate DK2 (C) for all keys (256 work) the match gives the keys • Total work = 2 * 256 = 257 University of Virginia CS 588

  24. Hmmm…maybe thrice? University of Virginia CS 588

  25. 2-Key Triple DES • C = EK1 (DK2 (EK1 (P))) • Why DK2 not EK2? • Backwards compatibility with DES • If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P) • Actual key size = 56 + 56 bits = 112 bits • Meet-in-the-middle? • X = EK1 (P) = DK1 (EK2 (C)) 256 need to try 2112 University of Virginia CS 588

  26. How secure is Triple-DES • Brute force search: 2112 keys • Best DES attack: 245 B keys/second •  6.7 * 1014 years (compared to 22 hours) • 1011 years = total lifetime of universe (closed universe theory) • Best known attack - reduces to 2120-log2n • n = number of known P-C pairs • n = 264, work is 256 Realistic? University of Virginia CS 588

  27. 3-Key Triple DES • C = EK3 (DK2 (EK1 (P))) • H(K) = 168 • Used by PGP, S/MIME • How much work to brute-force? • Meet-in-the-middle: X = DK3 (C) = DK2 (EK1 (P)) 256 + 2112 University of Virginia CS 588

  28. Cracking DES (1998) 90B keys per second Cost < $250K (in 1998) 56 hours to solve RSA DES Challenge University of Virginia CS 588

  29. Cracking DES (2001) • Mike Bond, Richard Clayton (University of Cambridge PhD Students) • IBM 4578 “Cryptoprocessor” (used in banking security – generates PINs from account numbers) • $995 for custom FPGA • 20 hours to extract key • Meet-in-the-middle attack (we’ll discuss this next class) University of Virginia CS 588

  30. Cracking DES (2005) Girish Ratanpal University of Virginia CS 588

  31. POWER ANALYSIS ATTACKS Girish Ratanpal Electrical & Computer Engineering UVA

  32. The Problem • Mathematically secure Cryptographic algorithms. • Implementations leak out information. • Side-channels • Execution time • Power consumption • Radio frequencies • Electric/magnetic fields University of Virginia CS 588

  33. The Power consumption side-channel • Correlation between operation and power consumed. • E.g. MOV 0 v/s MOV FF • Correlation between power consumed and bit transitions at the output of gates. • E.g. 01 v/s 10 University of Virginia CS 588

  34. DPA attack on DES • Guess the 6-bit sub-key of K16 • Determine Ci, L15[0] • Determine selection function D(Ci, b, K16) University of Virginia CS 588

  35. DES attack contd. • Collect power traces with k time samples for m cipher-texts. • Divide the traces into two sets T0 and T1 using the selection function. • Compute the average. • -this is the DPA trace University of Virginia CS 588

  36. S[k] with Correct Guess University of Virginia CS 588

  37. S[k] with Incorrect Guess University of Virginia CS 588

  38. Subkey for SBOX-5 University of Virginia CS 588

  39. Existing Countermeasures • Noise Insertion: Directly reduces SNR of S[k]. • Temporal De-synchronization • Randomly varying clock • Dummy instructions • Randomized instruction stream • Algorithmic Countermeasure • Intermediate results masking • Supply Current Shielding • Off-chip capacitors University of Virginia CS 588

  40. Existing Countermeasures • Algorithmic & Temporal De-synchronization – affect implementation • Need for a solution that • Puts minimal constraints on hardware implementation • Can be integrated on-chip University of Virginia CS 588

  41. Suppression circuit • Voltage sensed by Rsense • Current feedback to keep voltage constant. • Cfilter for high frequency components. University of Virginia CS 588

  42. Result of Suppression University of Virginia CS 588

  43. DPA on Protected Device University of Virginia CS 588

  44. Charge • Deadline for project proposals delayed until Feb 17 • Start using the forum to find project teams • PS2 out today, due next Tuesday • Read the attached paper before Thursday’s class • We’ll talk about it Thursday University of Virginia CS 588

More Related