250 likes | 404 Views
ELEC5616 computer and network security. matt barrie mattb@ee.usyd.edu.au. DES keys. Given one plaintext/cyphertext (m,c) pair, there is a very high probability that only one key will satisfy c = DES(m,k) Consider DES as a collection of permutations π (1) … π (2 56 ) .
E N D
ELEC5616computer and network security matt barrie mattb@ee.usyd.edu.au lecture 5 :: attacks on DES
DES keys • Given one plaintext/cyphertext (m,c) pair, there is a very high probability that only one key will satisfy c = DES(m,k) • Consider DES as a collection of permutations π(1) … π(256). • If πi are independent permutations then (m, k) : Pr [ k1≠ k : DES(m, k1) = DES(m, k) ] = 256 . 2-64 = 2-8 = 0.39% • Thus given one (m, c) pair the key is uniquely determined. The problem is to find k. lecture 5 :: attacks on DES
attacks on DES • Exhaustive key search • For a strong n-bit block cypher with a j-bit key, the key can be recovered on average in 2j-1 operations given a small number (< (j+4)/n) of plaintext-cyphertext pairs • For DES, j = 56 bits, n = 64 bits so exhaustive search is expected to yield the key in 255 operations • Cyphertext-only DES key search • Suppose DES is used to encrypt 8 x 8 ASCII characters (=64 bits) per block, with one bit being a parity bit. • Trial decryption yields all 8 parity bits valid with probability 2-8 • and thus for t blocks 2-8t • Over 256 keys, this leads to probability of correct key being 2-56 / 2-8t • thus only t ~ 10 blocks are enough lecture 5 :: attacks on DES
reducing effort in attacks on DES • DES is a Feistel network, thus: DES(m, k) = DES(m, k) • This is called the “Complementation Property” • So for a CPA: if c1 = DES(m, k) and c2 = DES(m, k) then if DES(m, k1) ≠ c1 nor c2 then k ≠ k1 nor k1 • Search space is reduced by half lecture 5 :: attacks on DES
2DES • Double encryption with DES (2DES) is bad 2DESk1k2(m) = Ek1(Ek2(m)) • 2DES is vulnerable to “meet in the middle” attack • i.e. for a fixed message, m, create a table: Ek(m) for all k є {0,1}56 • Then for c = Ek1k2(m) try all k until Dk1(c) is in the table • Thus 2DES can be broken on average in 256 operations using 256 memory slots (a time-space tradeoff)- not good for 112 bits of key (56 + 56) lecture 5 :: attacks on DES
3DES • Two-key Triple DES (3DES): DES three times, two keys (112 bits) 3DESk1k2(m) = Ek1(Dk2(Ek1(m))) • The strength of DES (& 3DES) is that it does not form a group DESk1(DESk2(m)) ≠ DESk3(m) • Consider the time-space tradeoff on 2TDES: • for time 2(56+64)/s and space s, we can recover k1 and k2 in 2TDES • If s > 28 then we can do better than exhaustive search. lecture 5 :: attacks on DES
DESX • A modification of DES to avoid exhaustive key search is DESX k1 = 56 bits (DES key) k2 = 64 bits (whitening key) k3 = h(k2, k3) = 64 bits DESXk1k2k3(m) = k3 Ek1 (m k2) • Whitening key gives greater resilience to brute force attacks • Given j plaintext / cyphertext pairs, the effective key size is greater than or equal to |k| + n -1 - log j = 56 + 64 - 1 - log j = 119 - log j ≥ 100 bits lecture 5 :: attacks on DES
DES round functions • The function F(x,ki): {0,1}32 x {0,1}48→ {0,1}32 x (32 bits) ki (48 bits) expansion 48 bits b 48 bits 8 x S-boxes (4x16) (substitution) nonlinear confuse 6 bits x 8 s1 s8 4 bits x 8 32 bits P-box (permutation) diffuse P lecture 5 :: attacks on DES
differential cryptanalysis • This method is a better-than-brute-force approach to attacking DES with (plaintext, cyphertext) pairs (CPA). • Involves looking at the XOR of two texts. • We consider any s-box function F(x, ki) : • Define the difference measure (on input) as Δ = b1 b2 = (x1 ki) (x2 ki) = x1 x2 • The input XOR (b1 b2) does not depend on the key but the output XOR (e1 e2) does. b1, b2 (2x6 bits) S box e1, e2 (2x4 bits) lecture 5 :: attacks on DES
differential cryptanalysis • Now define the set Δ(b) consisting of ordered pairs (b1 , b2) having input XOR b: Δ(b) = {(b1, b2) є {0,1}6 | b1 b2 = b} where | Δ(b) | = 26 = 64 • Take the example where b = 110100, then if we consider the first S-box the pairs might be Δ(b) = {(000000,110100), (000001,110101), … (111111,001011)} 110100 110100 110100 lecture 5 :: attacks on DES
differential cryptanalysis • If this is done for all 64 pairs in Δ(b) then the following distribution of output XORs (e1 e2) is obtained: (e1 e2) 0000 0001 0010 0011 … 1111 0 8 16 6 6 • Now suppose that (b1 b2) = 110100 and (e1 e2) = 0001, then (b1 , b2) must be one of eight possible pairs, hence b1 is one of 16 possible values. • Since x1 is known (this is a KPA), the 6 bits of the key XORed with x1 to give b1 are one of 16 possible values. • This procedure is repeated for different Δs to make deductions about the key bits and eventually recover the key. lecture 5 :: attacks on DES
linear cryptanalysis • Consider the cyphertext derived by combining certain bits from the plaintext and key: • The cypher can easily be broken, for example, if c[1] = p[4] p[17] k[5] k[3] i.e. k[3] k[5] = c[1] p[4] p[17] • This is because the cypher is linear. plaintext key cyphertext lecture 5 :: attacks on DES
linear cryptanalysis • If we use the following notation: p[i1, …, iu] = p[i1] p[i2] … p[iu] (the xor bits of the plaintext) • Also define ρ = Pr [ p[i1, …, iu] c[j1, …, jv] = k [s1, …, sw] ] • Now if |ρ - 0.5| is large, then we can guess k [s1, … , sw] • Optimally for a break|ρ - 0.5|= 0.5 (ρ = 0 or 1)(perfect cipher would have ρ = 0.5) lecture 5 :: attacks on DES
algorithm to recover key bits • Given R plaintext, cyphertext pairs (R is large): if ρ > 0.5 then k[s1, …, sw] = majority{p[i1, …, iu]} c[j1, …, jv]} over all plaintext cyphertext pairs if ρ < 0.5 then k[s1, …, sw] = minority = 1 majority • (*) Fact: if given R ≥ (ρ - 0.5)-2 then the correct value of k[s1, … , sw] is obtained with probability > 97.7% lecture 5 :: attacks on DES
linear cryptanalysis of DES • In 1993, Matsui made the following observation about DES which approximates the 5th S-box as a linear function: ρ5 = Pr[ x[4] = S5(x)[0,1,2,3] ] = 12/64 = 0.19 (Note x є {0,1}6) • For the ith DES round Pri [ri[15] F(ri , ki)[7,18,24,29] = ki[22]] = ρ5 = 0.19 (ri is the ith round right hand part) where the bits have been chosen to undo the permutation. lecture 5 :: attacks on DES
attack on 3 round DES left half of plaintext right half of plaintext l0 r0 From the first round we can write Pr[r1[7,18,24,29] xor l0[7,18,24,29] xor r0[15] = k0[22]] = ρ5 From the last round we can write Pr[r1[7,18,24,29] xor cr[7,18,24,29] xor cl[15] = k2[22]] = ρ5 XORing together gives Pr[l0[7,18,24,29] xor cr[7,18,24,29] xor cl[15] xor r0[15] = k0[22] xor k2[22]] = ρ5 .ρ5 + (1- ρ5)2 = 0.7 Using the fact (*) we can find k0[22] xor k2[22] using R = (0.7 - 0.5)-2 = 25 plaintext/cyphertext pairs F(r0,k0) l1 r1 F(r1,k1) l2 r2 F(r2,k2) l3 r3 left half of cyphertext right half of cyphertext lecture 5 :: attacks on DES
DES strengths against attacks AttackComplexity # messages requirements known chosen storage processing exhaustive precomputation - 1 256 1 (lookup) exhaustive search 1 - neg. 255 linear cryptanalysis 243(85%) - for texts 243 238(10%) - for texts 250 differential cryptanalysis - 247 for texts 247 255 - for texts 255 lecture 5 :: attacks on DES
advanced encryption standard (AES) • NIST Requirements: • Block cypher • 128 bit blocks • 128/192/256 bit keys • Strength equal to or better than 3DES at greatly improved efficiency • smartcard, hardware, software • flexibility • simplicity and elegance • Royalty-free worldwide • security for over 30 years • may protect sensitive data for over 100 years • public confidence in the cypher lecture 5 :: attacks on DES
AES candidates • 15 submissions from international field • Some strong candidates: Name Type Rounds Rel. Speed Gates (cycles) Twofish Feistel 16 1254 23k Serpent SP-network 32 1800 70k Mars Ext. Feistel 32 1600 70k cells Rijndael Square 10, 12, 14 1276 ??? RC6 Feistel 20 1436 ??? lecture 5 :: attacks on DES
AES • Rijndael (pronounced “rain-dahl”) announced Oct 2000 • Operates on 128 bit blocks • Key length is variable: 128, 192 or 256 bits • An SP-network • Uses a single S-box which acts on a byte input to give a byte output (think of as a 256 byte lookup table): S(x) = M(1/x) + b over the field GF(28) (M is a matrix, b is a constant) • Construction gives tight differential and linear bounds. lecture 5 :: attacks on DES
1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16 AES overview • Linear transformation arranging 16 bytes of the value being encoded in a square and doing bytewise shuffling and mixing. • Step 1: Add Round Key • simply XORs in the subkey for the current round • Step 2: Byte-sub • S-box substitution • Step 3: Shuffle (ShiftRows) • top row of four bytes in unchanged • second row is shifted one place left • third row is shifted two places left • fourth row is shifted three places left • Step 4: Mix Column • four bytes in a column are mixed using a matrix multiplication • Result: Change in the input effects all of output in 2 rounds lecture 5 :: attacks on DES
AES lecture 5 :: attacks on DES
AES overview • Number of rounds variable: • 10 for 128-bit keys • 12 for 192-bit keys • 14 for 256-bit keys • Gives 50% margin of safety based on current known attacks • attack for 6 round 128 bit keys • attack for 7 round 192 bit keys • attack for 9 round 256 bit keys • however require enormous amount of texts (certificational) • Safety against feasible attacks believed to currently be ~100% lecture 5 :: attacks on DES
references • Towards the 128-bit Era: AES Candidates (interest only)http://home.ecn.ab.ca/~jsavard/crypto/co0408.htm • Stallings (3rd Ed) • §4 • Handbook of Applied Cryptography • §7.1 - §7.4 lecture 5 :: attacks on DES