Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology - PDF document

IN3210/4210 Network and Communications Security Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology ● plaintext (P) - original message/data ● ciphertext (C)- coded message/data ● cipher - algorithm for transforming plaintext to ciphertext or ciphertext to plaintext ● key (K)– info used in cipher known only to sender/receiver ● encipher (encrypt) (E) - converting plaintext to ciphertext ● decipher (decrypt) (D) - recovering plaintext from ciphertext ● cryptography - study of encryption principles/methods ● cryptanalysis (code breaking) - study of principles/ methods of recovering key or deciphering ciphertext without knowing the key ● cryptology - field of both cryptography and cryptanalysis IN3210/4210 2 2 1

Main cryptographic cipher types Symmetric Asymmetric (one key, i.e., shared secret key) (two keys, i.e., public / private key) Stream Block Green = this lecture Orange = next week 3 IN3210/4210 3 Model of symmetric cryptosystem (i.e., the sender and receiver share a secret key) Secret key (K) Secret key (K) Ciphertext (C) E(K,P) D(K,C) Plaintext (P) Plaintext (P) =C =P Opponent Encrypter Decrypter The secret key must be distributed over a secure channel, while the encryption algorithm is assumed to be publicly known IN3210/4210 4 4 2

The one-time pad (the Vernam cipher) C = E(K,P) = K ⨁ P P = D(K,C) = K ⨁ C + Provides perfect secrecy (and is fast) - Requires a random one-time key as long as the plaintext ( ⨁ is the exclusive OR, operator) 5 IN3210/4210 5 Notions of cryptographic security Unconditional security - The system cannot be broken even with infinite computational resources Computational security - It is impossible to break the system in practice due to the computational resources required by the best known algorithms for breaking the system Provable security – Breaking the system is equivalent to solving a difficult problem (e.g., factoring, discrete logarithm) IN3210/4210 6 6 3

Stream ciphers use pseudo-random number generators to generate a keystream that is XORed with the plaintext/ciphertext Key K Key K Pseudorandom Pseudorandom number generator number generator Keystream k Keystream k ⨁ ⨁ Plaintext stream P Plaintext stream P Ciphertext stream C Stream ciphers can be realized using a blockcipher in a «stream mode» or by dedicated stream ciphers (e.g., ChaCha20) 7 IN3210/4210 7 RC4 is a variable key-size, byte-oriented stream cipher making use of a permutation of all 8-bit values Designed to be efficient to implement in software (as opposed to traditional stream ciphers intended to be implemented in HW) Has been widely used, including: ● SSL/TLS  No longer recommended after attack demonstrated in 2013  Enabled by biases in the start of the RC4 keystream  The attack was not very practical but…(http://www.isg.rhul.ac.uk/tls/) ● WEP/WPA  The attack on TLS with RC4 also applies to WPA/TKIP  The vulnerabilities in WEP were not due to RC4 itself, but the way it was used IN3210/4210 8 8 4

RC4 initialization ● Start with a key K of length ≤ 256: for i = 0 to 255 do S[i] = i T[i] = K[i mod keylength] S is now initialized with all numbers from 0-255. T is initialized with K (where K is repeated if necessary to generate T of length 256). ● Use T to shuffle S: j = 0 for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256 swap(S[i], S[j]) ● S forms the internal state of the cipher 9 IN3210/4210 9 RC4 keystream generation - encryption/decryption For each byte plaintext/ciphertext: shuffle S and generate keystream value that is XORed with plaintext/ciphertext byte: i = j = 0 for each plaintext byte P i do i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) C i = P i ⨁ S[t] (Decryption: P i = C i ⨁ S[t] ) IN3210/4210 10 10 5

Original 16x32 bits input/state Cons- Cons- Cons- Cons- ChaCha20 stream cipher (RFC 8439) tant tant tant tant Key Key Key Key ● ChaCha20 is a variation of Salsa20 that completed the final phase Key Key Key Key of eSTREAM in 2008, both designed by D. Bernstein Block Nonce Nonce Nonce count ● Designed to be fast when implemented in software  faster than AES when AES is not supported in hardware Quarter round function ● ChaCha20-Poly1305 is an Authenticated Encryption with Additional Data (AEAD), e.g., supported in TLS 1.3 ● Successively calls a block function with increasing block counter: 20 rounds (i.e., 80 quarter rounds) before the original input is added to the current state to produce a block of keystream  Quarter round function: addition (mod 2 32 ), XOR and roll/shift 11 IN3210/4210 Figure by Tony Arcieri (CC BY-SA) 11 In their basic form, stream ciphers do not provide integrity/authenticity ● E.g.,: D(K, C ⨁ i) = P ⨁ i (i.e., changes to C are not detected and results in predictable changes to P) ● Lesson: only depend on a cryptographic mechanism for its intended purpose(s) and use authenticated encryption IN3210/4210 12 12 6

A stream cipher is insecure if the same keystream is used twice ● E.g.: C1 ⨁ C2 = (K ⨁ P 1) ⨁ (K ⨁ P2) = P1 ⨁ P2 ● Lesson: only use keys for their intended purpose and duration! 13 IN3210/4210 13 The keystream must be completely unpredictable ● May otherwise become vulnerable to known plaintext attacks etc. ● Lesson: Cryptographic (pseudo) random generators are critical! IN3210/4210 14 14 7

Random numbers ● Many applications of random numbers in cryptography and security (e.g., key generation, keystreams, nonces,..) ● Critical that these values are statistically random (uniform distribution and independence) and that future values are unpredictable  Improper random number generation is a common source of security vulnerabilities ● Often use a Pseudorandom Number Generator (PRNG):  Deterministic sequence of outputs, given a seed (e.g., the secret key) as input  Such pseudorandom numbers are not truly random but can pass many tests of randomness  May be based on e.g., symmetric/asymmetric ciphers or hash functions 15 IN3210/4210 15 Symmetric block ciphers maps a fixed size input block to a fixed size output block ● Block size: Number of bits taken as Plaintext block input/output  AES: 128 bits ● Key size: Larger keys are more secure but Key Block cipher may reduce speed  AES: 128, 192 or 256 bits ● Block ciphers can be used in different Ciphertext block modes of operation IN3210/4210 16 16 8

Block ciphers typically iterate a weaker round function Input block Round 1 Key • The key is expanded into a k 1 sequence of round keys Round key k 2 generation Round 2 • AES-128: 10 rounds algorithm k N • AES-192: 12 rounds • AES-256: 14 rounds • DES: 16 rounds Round N Output block 17 IN3210/4210 17 Advanced Encryption Standard (AES) uses the Rijndael block cipher AES process highlights: ● January 1997: NIST issued a call for proposals for a new AES  Received 15 proposals in total ● Ocotber 2000: Rijndael selected as the proposed AES cipher ● November 2001: AES approved as FIPS PUB 197 Rijndael was developed by Belgium cryptographers Joan Daemen and Vincent Rijmen IN3210/4210 18 18 9

AES-128 • Plaintext represented as 4x4 byte matrix • Key is expanded into 11 round keys, each 4x4 byte Encryption Decryption 19 IN3210/4210 19 Rijndael/AES round function uses four invertible operations Byte-by-byte substitution, Substitute bytes based on table (S-box) Permutation performed Shift rows by rotating row by row Substitution altering each Mix byte in a column based on columns all the bytes in the column Round key ⨁ 20 IN3210/4210 20 10

AES Instruction Set and Intel’s AES-NI ● Extensions to x86 instruction set providing hardware support for AES ● Provided by Intel and AMD, used by many libraries and applications ● Hardware support for AES is also available on other platforms 21 IN3210/4210 21 Data Encryption Standard (DES) ● Issued as a standard by NIST in 1977  Block size is 64 bits  Key is 56 bits – too short today!  Variation of a Feistel network ● DES is expired and should no longer be used  Use AES instead 3DES IN3210/4210 22 22 22 11

Block Cipher Modes of Operation specifies how to use symmetric block ciphers for practical applications ● NIST SP 800-38A specifies five modes of operation:  ECB  CBC Confidentiality modes (do not ensure  CFB integrity/authenticity!)  OFB  CTR ● SPs 800-38 B - G specifies additional modes of operation, including authenticated encryption modes such as GCM and modes intended for storage encryption 23 IN3210/4210 23 Using Electronic Codebook (ECB) mode, each block is encrypted/decrypted independently Identical plaintext blocks (encrypted with the same key) result in identical P j ciphertext blocks – may be insecure K Encrypt C j Plaintext ECB mode Secure mode IN3210/4210 24 24 24 12

Cipher Block Chaining (CBC) mode 25 IN3210/4210 25 IN3210/4210 26 26 13