Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Introduction to SW Security
Chap. 3. Symmetric Key Crypto(Block Ciphers)
Spring, 2018
Cho, Seong-je (조성제)
sjcho at dankook.ac.kr
Computer Security & OS Lab, DKU
Many slides taken from Textbook (Its site), and Web sites
• Textbook
• M. T. Goodrich and R. Tamassia, Introduction to Computer Security, Pearson (Addison-Wesley)
http://www.pearsonhighered.com/pearsonhigheredus/educator/product/products_detail.page?isbn=0321512944&forced_logout=forced_logged_out
Many photos in presentation licensed from google images or wikipedia
Computer Security & OS Lab, DKU 2
Cryptography
Contents
Symmetric Key Crypto ● Block cipher
− DES (Data Encryption Standard)
− AES (Advanced Encryption Standard) : Rijndael (rain-dahl)
● Block cipher modes of operation
● Stream cipher
3Computer Security & OS Lab, DKU
Cryptography
Learning Objectives
After studying this, you should be able to:
Explain the basic operation of symmetric block encryption algorithms
Describe the structure and function of AES
Distinguish among the major block cipher modes of operation
Understand its inner working and uses
Focus more on the “how” than the “why”● To understand :”why” -> need to understand cryptanalysis (Chapter 6)
Discuss the issues involved in key distribution
4Computer Security & OS Lab, DKU
Cryptography
Block Cipher
Plaintext and Ciphertext consists of fixed sized blocks
Design goal: security and efficiency● It is not easy to design a block cipher that is secure and efficient
Block cipher key determines a “electronic” codebook● Each key yields a different codebook
Employ both “confusion” and “diffusion” Example of Block ciphers
● DES, AES, SEED, Blowfish, RC6
● International Data Encryption Algorithm (IEDA)
5Computer Security & OS Lab, DKU
Cryptography
Block Ciphers
Blocks of letters encrypted simultaneously● Many modern cryptosystems (AES, RSA) are also block ciphers
In a block cipher:● Plaintext and ciphertext have fixed length b (e.g., 128 bits)
● A plaintext of length n is partitioned into a sequence of m blocks, P[0], …, P[m1], where n b*m n + b
Each message is divided into a sequence of blocks and encrypted or decrypted in terms of its blocks.
Cryptography6
Plaintext
Blocks ofplaintext
Requires paddingwith extra bits.
Cryptography
(Iterated) Block Cipher
Ciphertext obtained from
plaintext by iterating a round
function
Input to round function
consists of key and the output
of previous round
Usually implemented in
software
Typical Type is Feistel Cipher
7Computer Security & OS Lab, DKU
Cryptography
Feistel Cipher
Feistel cipher refers to a type of block cipher design, not a specific cipher
Split plaintext block into left and right halves: Plaintext = (L0,R0)
For each round i=1,2,...,n, compute
Li= Ri1
Ri= Li1 F(Ri1,Ki)
where F is round function and Ki is subkey
Ciphertext = (Ln,Rn)
8Computer Security & OS Lab, DKU
Decryption: Ciphertext = (Ln,Rn)
For each round i=n,n1,…,1, compute
Ri1 = Li
Li1 = Ri F(Ri1,Ki)
where F is round function and Ki is subkey
Plaintext = (L0,R0)
Formula “works” for any function F
But only secure for certain functions F
Ex: F(Ri-1, Ki) = 0 for all Ri-1 and Ki -> not secure
Cryptography
Padding
Block ciphers require the length n of the plaintext to be a multiple of
the block size b
Padding the last block needs to be unambiguous (cannot just add
zeroes)
When the block size and plaintext length are a multiple of 8, a
common padding method (PKCS5) is a sequence of identical bytes,
each indicating the length (in bytes) of the padding
Example for b = 128 bits (16 bytes)
● Plaintext: “Roberto” (7 bytes)
● Padded plaintext: “Roberto999999999” (16 bytes), where 9 denotes the
number and not the character
We need to always pad the last block, which may consist only of
padding
Cryptography9
Cryptography
Block Ciphers in Practice
Data Encryption Standard (DES)
● Developed by IBM and adopted by NIST in 1977
● Based on IBM Lucifer cipher
● DES is a Feistel cipher
− 64-bit blocks and 56-bit keys
− 16 rounds
− 48 bits of key used each round (subkey)
● Security depends primarily on “S-boxes”
− Each S-boxes maps 6 bits to 4 bits
− Total 8 S-boxes
● Small key space makes exhaustive search attack feasible since late 90s
10Computer Security & OS Lab, DKU
Cryptography
One Round of DES
11Computer Security & OS Lab, DKU
L
expandL
R
S-boxes(8)
P Box
L R
key
R
Compress
key
48
32 32
32
48
32
32
32
48
28
2828
28
28 28
Next Slide
Cryptography
DES S-box
8 “substitution boxes” or S-boxes Each S-box maps 6 bits to 4 bits S-box number 1
12Computer Security & OS Lab, DKU
0000
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
00
1110
0100
1101
0001
0010
1111
1011
1000
0011
1010
0110
1100
0101
1001
0000
0111
01
0000
1111
0111
0100
1110
0010
1101
0001
1010
0110
1100
1011
1001
0101
0011
1000
10
0100
1101
1110
1000
1101
0110
0010
1011
1111
1100
1001
0111
0011
1010
0101
0000
11
1111
1100
1000
0010
0100
1001
0001
0111
0111
1011
0011
1110
1010
0000
0110
1101
input bits (0,5)
input bits (1,2,3,4)
Cryptography
Security of DES
Security of DES depends a lot on S-boxes
● Everything else in DES is linear
Thirty years of intense analysis has revealed no “back
door”
Attacks today use exhaustive key search
Inescapable conclusions
● Designers of DES knew what they were doing
● Designers of DES were ahead of their time
13Computer Security & OS Lab, DKU
Cryptography
Block Ciphers in Practice
Triple DES (3DES)
● Nested application of DES with three different keys KA, KB, and KC
● Effective key length is 168 bits, making exhaustive search attacks unfeasible
● C = EKC(DKB(EKA(P))); P = DKA(EKB(DKC(C)))
● Equivalent to DES when KA=KB=KC (backward compatible)
But practically, Triple DES is
C = E(D(E(P,K1),K2),K1)
P = D(E(D(C,K1),K2),K1)
(112 bit key)
Advanced Encryption Standard (AES)
● Selected by NIST in 2001 through open international competition and public discussion
● 128-bit blocks and several possible key lengths: 128, 192 and 256 bits
● Exhaustive search attack not currently possible
● AES-256 is the symmetric encryption algorithm of choice
14
Advanced Encryption Standard(AES)
AES animation: http://www.formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng.swf
http://poincare.matf.bg.ac.rs/~ezivkovm/nastava/rijndael_animacija.swf
http://www.ccna-security.net/wp-content/uploads/2008/10/rijndael_ingles2004.swf
17
Cryptography
AES Crypt
A file encryption software available on several operating systems that uses the industry standard AES to easily and securely encrypt files.
● You do not need to be an expert to use AES Crypt, nor do you need to understand cryptography.
Using a powerful 256-bit encryption algorithm, AES Crypt can safely secure your most sensitive files.
AES Crypt is completely free open source software
https://www.aescrypt.com/
18Computer Security & OS Lab, DKU
Cryptography
How was AES created?
DES was broken: Key size is too small ← Brute force attack is possible
● Attacked by exhaustive key search: Special purpose DES crackers and distributed attack at internet
Triple-DES is very resistant to crypto analysis but,● No efficient software code
● Too slow: 3 times as many rounds as DES
● 3DES use 64-bit block size: for reasons of both efficient and security, a larger block size desirable
● So, 3DES is not solution for long-term use
In 1997, NIST made a formal call for advanced encryption standard algorithms
19Computer Security & OS Lab, DKU
Cryptography
How was AES created?
Goal: ● replace DES for both government and private sector encryption
AES Competition Requirements● Unclassified, publicly disclosed encryption algorithm, available royalty-
free, worldwide.
● Private key symmetric block cipher
● Block sizes of 128-bits, 128/192/256-bit keys
● Stronger & faster than Triple-DES
● Provide full specification & design details
● Both C & Java implementations
15 candidates accepted in Jun 98
5 were shortlisted in Aug 99● Rijndael, MARS, RC6, Serpent, Twofish
20Computer Security & OS Lab, DKU
Cryptography
AES Evaluation Criteria
initial criteria:● security – effort for practical cryptanalysis
− Resistance to cryptanalysis, soundness of math, randomness of output, etc.
● Speed – in terms of computational efficiency (cost) and memory requirements
● algorithm & implementation characteristics− Flexibility, hardware & software suitability, algorithm simplicity
final criteria● general security: 3년의평가기간동안암호학계에서수행된보안성분석
● ease of software & hardware implementation
● implementation attacks− 시간공격: 컴퓨터가메시지를해독하는데걸리는시간을추적유지하여키결정
− 전력분석공격: 특정시간에소비한전력은처리되는데이터에관련됨 (1을write하는것이 0을 write하는 것보다많은전력소비)
● flexibility (in en/decrypt, keying, other factors)− 키와블록크기에대한지원의용이성
− 새로운공격에대응하는라운드횟수의증가용이성
21Computer Security & OS Lab, DKU
Cryptography
The AES Cipher - Rijndael
Rijndael (rain-dahl) was selected as the AES in Oct-2000● Designed by Vincent Rijmen (빈센트라이먼) and Joan Daemen (존데이먼) in Belgium
● Issued as FIPS PUB 197 standard in Nov-2001
An iterative rather than Feistel cipher● Iterated block cipher (like DES)
● Not a Feistel cipher (unlike DES)
● processes data as block of 4 columns of 4 bytes (128 bits)
● operates on entire data block in every round
23Computer Security & OS Lab, DKU
AES
Plaintext (128 bits)
Ciphertext (128 bits)
Key (128-256 bits)
Cryptography
The Advanced Encryption Standard (AES)
AES is a block cipher that operates on 128-bit blocks.
● Key size of 128-, 192-, or 256-bits
● Variable number of rounds (10, 12, 14):
− 10 if B = K = 128 bits
− 12 if either B or K is 192 and the other is ≤ 192
− 14 if either B or K is 256 bits
● 128-bit round key used for each round:
− 128 bits = 16 bytes = 4 words
− needs Nr+1 round keys for Nr rounds
− needs 44 words for 128-bit key (10 rounds)
24
AES Round Structure
The 128-bit version of the AES encryption algorithm proceeds in ten rounds.
Each round performs an invertible transformation on a 128-bit array, called state.
‒ State: 4X4 array of bytes
‒ 128 bits = 16 bytes
The initial state X0 is the XOR of the plaintext P with the key K:
X0 = P XOR K.
Round i (i = 1, …, 10) receives state Xi-1 as input and produces state Xi.
The ciphertext C is the output of the final round: C = X10.
25
Cryptography
AES Overview
Each round uses 4 functions (in 3 “layers”)
● 4 functions: 1 of permutation and 3 substitutions
● 3 layers: Linear, Nonlinear and Key addition
Permutation
● Linear mixing layer: ShiftRow (State)
Substitutions
● Nonlinear layer: SubBytes (State, S-box)
● Nonlinear layer: MixColumn (State)
● Key addition layer: AddRoundKey (State, KeyNr)
27Computer Security & OS Lab, DKU
Cryptography
Multiple Rounds
Rounds are (almost) identical
● First and last round are a little different
28Computer Security & OS Lab, DKU
AES parameters
• Nb – Number of columns in the State
• Nb = 4
• Nk – Number of 32-bit words in the Key
• Nk = 4, 6, or 8
• Nr – Number of rounds (function of Nb and Nk)
• Nr = 10, 12, or 14
128 bits = 16 bytes = 4-by-4 table of bytes = 4 words (1 word= 4 bytes)
Cryptography
Data Unit
128 bits = 16 bytes = 4-by-4 table of bytes = 4 words (1 word= 4 bytes)
29Computer Security & OS Lab, DKU
Cryptography
High level description
Changing Plaintext to State: 1 block = 128 bits = 16 bytes = a 4-by-4 array of states
● Total 16 states: each state si,j = 8 bits = 1 byte
30Computer Security & OS Lab, DKU
• Round keys are derived from the cipher key using Rijndael's key scheduleKey Expansion
• AddRoundKey : Each byte of the state is combined with the round key using bitwise xorInitial Round
• SubBytes : non-linear substitution step
• ShiftRows : transposition step
• MixColumns : mixing operation of each column.
• AddRoundKey
Rounds
• SubBytes
• ShiftRows
• AddRoundKeyFinal Round
Cryptography
AES: High-Level Description
State: 4 X 4 array of bytes: 128 bits = 16 bytes
31Computer Security & OS Lab, DKU
State = XAddRoundKey(State, Key0) (op1)for r = 1 to Nr - 1
SubBytes(State, S-box) (op2)ShiftRows(State) (op3)MixColumns(State) (op4)AddRoundKey(State, KeyNr)
endforSubBytes(State, S-box)ShiftRows(State)AddRoundKey(State, KeyNr)Y = State
Cryptography
Each Round
Each round is built from four basic steps:1. SubBytes step: an
S-box substitution step
2. ShiftRows step: a permutation step
3. MixColumns step: a matrix multiplication step
4. AddRoundKey step: an XOR step with a round key derived from the 128-bit encryption key
33Computer Security & OS Lab, DKU
Cryptography
1. SubBytes step
The SubBytes operation involves 16 independent byte-to-byte transformations.
34Computer Security & OS Lab, DKU
S1,1 = xy16
• Interpret the byte as two hexadecimal digits xy
• SW implementation, use row (x) and column (y) as lookup pointer
00 44 88 CC
11 55 99 DD
22 66 AA EE
33 77 BB FF
Cryptography
1. SubBytes step
Replace each byte in the state array with its corresponding value from the S-Box
There is an InvSubBytes Table for decryption
● The SubBytes and InvSubBytes transformations are inverses of each other
35Computer Security & OS Lab, DKU
Cryptography
AES “S-box”
Example: 0x53 is replaced with 0xED
36Computer Security & OS Lab, DKU
First 4bits ofinput
Last 4 bits of input
Cryptography
2. ShifRows step
Shifting, which permutes the bytes.
A circular byte shift in each each● 1st row is unchanged
● 2nd row does 1 byte circular shift to left
● 3rd row does 2 byte circular shift to left
● 4th row does 3 byte circular shift to left
In the encryption, the transformation iscalled ShiftRows
In the decryption, the transformation iscalled InvShiftRows and the shifting is to theright
37Computer Security & OS Lab, DKU
Cryptography
3. MixColumns step
ShiftRows and MixColumns provide diffusion to the cipher
Each column is processed separately
Each byte is replaced by a value dependent on all 4 bytes in the column
Effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
39Computer Security & OS Lab, DKU
Cryptography
3. MixColumns step
The MixColumns transformation operates at the column level; it transforms each column of the state to a new column.
40Computer Security & OS Lab, DKU
S’0,c = ({02} S0,c) ({03} S1,c) S2,c S3,c
S’1,c = S0,c ({02} S1,c) ({03} S2,c) S3,c
S’2,c = S0,c S1,c ({02} S2,c ) ({03} S3,c)
S’3,c = ({03} S0,c) S1,c S2,c ({02} S3,c
Cryptography
4. AddRoundKey
XOR state with 128-bits of the RoundKey (Subkey)
● RoundKey (subkey) determined by key schedule algorithm
● takes 128-bits (16-bytes) key and expands into array of 44 32-bit words
AddRoundKey proceeds one column at a time.
● adds a round key word with each state column matrix
● the operation is matrix addition
Inverse for decryption identical
● since XOR own inverse, with reversed keys
41Computer Security & OS Lab, DKU
Cryptography
4. AddRoundKey
Example of expansion of a 128-bit cipher key
Cipher key = 2b7e151628aed2a6abf7158809cf4f3c
w0=2b7e1516 w1=28aed2a6 w2=abf71588 w3=09cf4f3c
42Computer Security & OS Lab, DKU
Cryptography
Key Expansion Scheme
takes 128-bits (16-bytes) key and expands into array of 44 32-bit words
43Computer Security & OS Lab, DKU
Cryptography
Key Expansion Scheme
라운드상수● 각라운드상수 RCon은 4바이트값으로오른쪽의 3바이트는 0
● [표] 각라운드에서사용하는상수값 RCon
44Computer Security & OS Lab, DKU
Cryptography
AES Decryption
To decrypt, process must be invertible
● Inverse of AddRoundKey is easy, since is its own inverse
● MixColumn is invertible (inverse is also implemented as a lookup table)
● Inverse of ShiftRow is easy (cyclic shift the other direction)
● SubBytes is invertible (inverse is also implemented as a lookup table)
46Computer Security & OS Lab, DKU
Cryptography
AES Design Rationale
Substitute Bytes ● To be resistant to known cryptanalytic attacks by making a low
correlation between input bits and output bits.
Shift Row● Note input and output are treated as State(4X4 array)
● To move an individual byte from one column to another
Mix Column● To ensure a good mixing the bytes of each column
Add Round Key● To affect every bit of State
● The complexity of the round key expension ensure security
47Computer Security & OS Lab, DKU
Cryptography
Symmetric cipher encryption
How to encrypt multiple blocks?
● A new key for each block?
− As bad as (or worse than) a one-time pad!
● Encrypt each block independently?
● Make encryption depend on previous block(s), i.e., “chain” the blocks
together?
● How to handle partial blocks?
49Computer Security & OS Lab, DKU
Cryptography
Mode of operation of Block Cipher
블록암호는특정한길이의블록단위로동작하기때문에, 가변길이데이터를
암호화하기위해서는먼저이들을단위블록들로나누어야하며, 그리고그
블록들을어떻게암호화할지를정해야하는데, 이때블록들의암호화방식을
운용모드라고부른다
● Block: a fixed-length data
● A mode of operation describes how to repeatedly apply a cipher's single-block operation to
securely transform amounts of data larger than a block
평문의길이가블록암호의블록크기보다클경우에는어떻게블록암호를
적용할것인가?
이런문제점을해결하고다양한응용환경하에적절한암호화도구로사용할수
있는여러유형의효율적인운영방식들을제시하고있다.
이러한방식들을블록암호모드라고한다.
50Computer Security & OS Lab, DKU
Cryptography
Modes of Operations
Block Cipher Modes
● The way a block cipher encrypts and decrypts a sequence of message blocks.
● Many encryption ways (modes of operation) for multiple block cipher
Mode of operation of Block cipher
● Electronic Codebook (ECB) mode
− Encrypt each block independently
● Cipher-Block Chaining (CBC) mode
− Chain the blocks together
− More secure than ECB, virtually no extra work
● Cipher-Feedback (CFB) mode
● Output Feedback (OFB) mode
● Counter (CTR) mode
− Popular for random access
● Data integrity of block cipher
− Message Authentication code (MAC)
51Computer Security & OS Lab, DKU
Cryptography
ECB Mode
Electronic Code Book (ECB) Mode (is the simplest):
● Block P[i] encrypted into ciphertext block C[i] = EK(P[i])
● Block C[i] decrypted into plaintext block M[i] = DK(C[i])
52Public domain images from http://en.wikipedia.org/wiki/File:Ecb_encryption.png and http://en.wikipedia.org/wiki/File:Ecb_decryption.png
Cryptography
ECB Cut and Paste Attack
Suppose plaintext is Alice digs Bob. Trudy digs Tom.
Assuming 64-bit blocks and 8-bit ASCII:P0 = “Alice di”, P1 = “gs Bob. ”,
P2 = “Trudy di”, P3 = “gs Tom. ”
Ciphertext: C0, C1, C2, C3
Trudy cuts and pastes attack: C0, C3, C2, C1
Decrypts asAlice digs Tom. Trudy digs Bob.
53Computer Security & OS Lab, DKU
Cryptography
EBC Weakness
Suppose Pi = Pj
Then Ci = Cj and Trudy knows Pi = Pj
This gives Trudy some information, even if she does not know Pi
or Pj
● We should not give the cryptanalyst anything for free.
Trudy might know Pi
Alice’s original image &
Alice’s encrypted image
Why does this happen?
● Same plaintext block Same ciphertext!
54Computer Security & OS Lab, DKU
Strengths and Weaknesses of ECB
55
Strengths: Is very simple
Allows for parallel encryptions of the blocks of a plaintext
Can tolerate the loss or damage of a block
Weakness: 동일한 평문 블록이 동일한 암호문
블록으로 나타남
Documents and images are not
suitable for ECB encryption since
patters in the plaintext are
repeated in the ciphertext:
• 암호문을 보면 평문 속에 패턴이 반복됨을 알 수 있음
• 블록 위치 변조 공격 가능: 공격자가 암호문 블록을서로 변경할 경우, 수신자가 모를 수 있음
Cryptography
Cipher Block Chaining (CBC) Mode
Blocks are “chained” together
The previous ciphertext block is combined with the current plaintext block
C[i] = EK (C[i 1] P[i])
● C[1] = IV, is random initialization vector, but need not be secret
Decryption: P[i] = C[i 1] DK (C[i])
☞ 암호문블록이 1개파손되었다면,
암호문블록의길이가바뀌지않는다면복호화했을때에평문블록에미치는영향은 2개
블록에한정됨
56
DK
P[0]
DK
P[1]
DK
P[2]
DK
P[3]
IV
C[0] C[1] C[2] C[3]
EK
P[0]
EK
P[1]
EK
P[2]
EK
P[3]
IV
C[0] C[1] C[2] C[3]
CBC Encryption: CBC Decryption:
Strengths and Weaknesses of CBC
57
Weaknesses:
CBC requires the reliable
transmission of all the blocks
sequentially
It cannot be parallelized
CBC is not suitable for
applications that allow packet
losses (e.g., music and video
streaming)
Strengths: Identical plaintext blocks yield
different ciphertext blocks
Doesn’t show patterns in the plaintext
the most common mode
fast and relatively simple
Cut and paste is still possible, but more complex (and will cause garbles)
If C1 is garbled to, say, G then
P1 C0 D(G, K), P2 G D(C2, K)
But P3 = C2 D(C3, K), P4 = C3 D(C4, K),…
Automatically recovers from errors!
Cryptography
Counter (CTR) mode
CTR is popular for random access
Every step of encryption and decryption can be in parallel
● We perform encryption through an exclusive-or with a generated pad
We start with a random seed, Counter (= IV)
58Computer Security & OS Lab, DKU
Cryptography
Java AES Encryption Example
Source
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
Generate an AES key
KeyGenerator keygen = KeyGenerator.getInstance("AES");SecretKey aesKey = keygen.generateKey();
Create a cipher object for AES in ECB mode and PKCS5 padding
Cipher aesCipher;aesCipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
Encrypt
aesCipher.init(Cipher.ENCRYPT_MODE, aesKey);byte[] plaintext = "My secret message".getBytes();byte[] ciphertext = aesCipher.doFinal(plaintext);
Decrypt
aesCipher.init(Cipher.DECRYPT_MODE, aesKey);byte[] plaintext1 = aesCipher.doFinal(ciphertext);
59
Cryptography
Cryptography Libraries
60Computer Security & OS Lab, DKU
Implementation Company Development source
Description
Libgcrypt GnuPGcommunity
and g10code
C http://www.linuxfromscratch.org/blfs/view/8.2/general/libgcrypt.html
OpenSSL The OpenSSL Project
C https://www.openssl.org/
libmcrypt C http://mcrypt.sourceforge.net/Replacement for the old crypt() package.
mcrypt (3) – Linux man page https://linux.die.net/man/3/mcrypt
MCRYPT mcrypt_module_open( char *algorithm, char* algorithm_directory, char* mode, char* mode_directory);
int mcrypt_generic_init( MCRYPT td, void *key, int lenofkey, void *IV);
int mcrypt_generic( MCRYPT td, void *plaintext, int len);
int mdecrypt_generic( MCRYPT td, void *ciphertext, int len);
int mcrypt_generic_end( MCRYPT td);
int mcrypt_generic_deinit( MCRYPT td);
…
– 6 1 – 418750, S’15
Summary
Encryption provides confidentiality
AES was designed after DES. The algorithms used in AES are so simple that they can be easily
implemented using cheap processors and a minimum amount of memory.
Most of the known attacks on DES were already tested on AES.
Brute-Force Attack
AES is definitely more secure than DES due to the larger-size key.
Statistical Attacks
Numerous tests have failed to do statistical analysis of theciphertext
Computer Security & OS Lab.