Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State - PowerPoint PPT Presentation

CS 166: Information Security Symmetric Key Crypto, Part 2 Prof. Tom Austin San José State University

REVIEW: A5/1 lab X x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 Å Y Å y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 y 16 y 17 y 18 y 19 y 20 y 21 Å Z z 0 z 1 z 2 z 3 z 4 z 5 z 6 z 7 z 8 z 9 z 10 z 11 z 12 z 13 z 14 z 15 z 16 z 17 z 18 z 19 z 20 z 21 z 22 Å • Each variable here is a single bit • Key is used as initial fill of registers • Each register steps (or not) based on maj ( x 8 , y 10 , z 10 ) • Keystream bit is XOR of rightmost bits of registers

Advanced Encryption Standard (AES) • Replacement for DES • AES competition (late 90’s) – NSA openly involved – Transparent process – Many strong algorithms proposed – Rijndael Algorithm ultimately selected (pronounced like “Rhine Doll”) • Iterated block cipher (like DES) • Not a Feistel cipher (unlike DES)

AES Overview • Block size: 128 bits (others in Rijndael) • Key length: 128, 192 or 256 bits (independent of block size) • 10 to 14 rounds (depends on key length) • Each round uses 4 functions (3 “layers”) – ByteSub (nonlinear layer) – ShiftRow (linear mixing layer) – MixColumn (nonlinear layer) – AddRoundKey (key addition layer)

AES ByteSub Treat 128 bit block as 4x6 byte array • a 00 a 01 a 02 a 03 b 0 b 0 b 0 b 0 ByteSub a 10 a 11 a 12 a 13 0 1 2 3 b 1 b 1 b 1 b 1 a 20 a 21 a 22 a 23 0 1 2 3 b 2 b 2 b 2 b 2 a 30 a 31 a 32 a 33 0 1 2 3 b 3 b 3 b 3 b 3 • ByteSub is AES’s “S-box” 0 1 2 3 – details next slide • Can be viewed as either 1. a nonlinear (but invertible) composition of 2 math operations; or 2. a lookup table

AES “S-box” Last 4 bits of input First 4 bits of input

AES ShiftRow cyclic shift - linear operation a 0 a 0 a 0 a 0 a 0 a 0 a 0 a 0 ShiftRow 0 1 2 3 0 1 2 3 a 1 a 1 a 1 a 1 a 1 a 1 a 1 a 1 0 1 2 3 1 2 3 0 a 2 a 2 a 2 a 2 a 2 a 2 a 2 a 2 0 1 2 3 2 3 0 1 a 3 a 3 a 3 a 3 a 3 a 3 a 3 a 3 0 1 2 3 3 0 1 2

AES MixColumn invertible • linear • applied to each column • implemented as lookup table • a 0i b 0i a 1i b 1i MixColumn for 1 = 0, 1, 2, 3 a 2i b 2i a 3i b 3i

AES AddRoundKey • XOR subkey with block Block Subkey • RoundKey (subkey) determined by key schedule algorithm

AES Decryption • To decrypt, process must be invertible • Inverse of MixAddRoundKey is easy – Å is its own inverse • MixColumn is invertible – inverse also implemented as a lookup table • Inverse of ShiftRow is easy – cyclic shift the other direction • ByteSub is invertible – inverse also implemented as a lookup table

A Few Other Block Ciphers • Briefly… – IDEA – Blowfish – RC6 • More detailed… – TEA

IDEA • I nternational D ata E ncryption A lgorithm • Invented by James Massey – One of the giants of modern crypto • 64-bit block, 128-bit key • Uses mixed-mode arithmetic • Combines different math operations – IDEA the first to use this approach – Frequently used today

Blowfish • Blowfish encrypts 64-bit blocks • Key is variable length, up to 448 bits • Invented by Bruce Schneier • Almost a Feistel cipher R i = L i - 1 Å K i L i = R i - 1 Å F(L i - 1 Å K i ) • The round function F uses 4 S-boxes – Each S-box maps 8 bits to 32 bits • Key-dependent S-boxes – S-boxes determined by the key

RC6 • Invented by Ron Rivest • Variables – Block size – Key size – Number of rounds • An AES finalist • Uses data dependent rotations – Unusual for algorithm to depend on plaintext • Possibly NSA's algorithm of choice [Jacob Appelbaum 2014]

Time for TEA • Tiny Encryption Algorithm (TEA) • 64 bit block, 128 bit key • Assumes 32-bit arithmetic • Number of rounds is variable – 32 is considered secure • Uses “weak” round function – large number of rounds required

TEA Encryption Assuming 32 rounds: (K[0],K[1],K[2],K[3]) = 128 bit key (L,R) = plaintext (64-bit block) delta = 0x9e3779b9 sum = 0 for i = 1 to 32 sum += delta L += ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1]) R += ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3]) next i ciphertext = (L,R)

TEA Decryption Assuming 32 rounds: (K[0],K[1],K[2],K[3]) = 128 bit key (L,R) = ciphertext (64-bit block) delta = 0x9e3779b9 sum = delta << 5 for i = 1 to 32 R - = ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3]) L - = ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1]) sum - = delta next i plaintext = (L,R)

TEA Comments • Almost a Feistel cipher – Uses + and - instead of Å (XOR) • Simple • Easy to implement • Fast • Low memory requirement • Possibly a “related key” attack

TEA Variations • eXtended TEA (XTEA) – eliminates related key attack – slightly more complex • Simplified TEA (STEA) – insecure version – used as an example for cryptanalysis

Block Cipher Modes

Multiple Blocks • How to encrypt multiple blocks? • Do we need a new key for each block? – As bad as (or worse than) a one-time pad! • Encrypt each block independently? • Make encryption depend on previous block? – That is, can we “chain” the blocks together? • How to handle partial blocks? – We won’t discuss this issue

Modes of Operation • Many modes: we discuss 3 most popular • Electronic Codebook ( ECB ) mode – Encrypt each block independently – Most obvious, but has a serious weakness • Cipher Block Chaining ( CBC ) mode – Chain the blocks together – More secure than ECB, virtually no extra work • Counter Mode ( CTR ) mode – Block ciphers acts like a stream cipher – Popular for random access

ECB Mode • Notation: C = E(P,K) • Given plaintext P 0 , P 1 , …, P m , … • Most obvious way to use a block cipher: Encrypt Decrypt C 0 = E(P 0 , K) P 0 = D(C 0 , K) C 1 = E(P 1 , K) P 1 = D(C 1 , K) C 2 = E(P 2 , K) … P 2 = D(C 2 , K) … • For fixed key K , this is “electronic” version of a codebook cipher (without additive) – With a different codebook for each key

ECB Cut and Paste • Suppose plaintext is Alice luvs Bob. Trudy luvs Joe. • Assuming 64-bit blocks and 8-bit ASCII: P 0 = “ Alice lu ”, P 1 = “ vs Bob. ”, P 2 = “ Trudy lu ”, P 3 = “ vs Joe. ” • Ciphertext: C 0 ,C 1 ,C 2 ,C 3 • Trudy cuts and pastes: C 0 ,C 3 ,C 2 ,C 1 • Decrypts as Alice luvs Joe. Trudy luvs Bob.

ECB Weakness • Suppose P i = P j • Then C i = C j and Trudy knows P i = P j • This gives Trudy some information, even if she does not know P i or P j • Trudy might know P i • Is this a serious issue?

Alice Hates ECB Mode • Alice’s uncompressed image, and ECB encrypted (TEA) • Why does this happen? • Same plaintext yields same ciphertext!

CBC Mode • Blocks are “chained” together • A random initialization vector, or IV , is required to initialize CBC mode • IV is random, but not secret Encryption Decryption C 0 = E(IV Å P 0 , K), P 0 = IV Å D(C 0 , K), C 1 = E(C 0 Å P 1 , K), P 1 = C 0 Å D(C 1 , K), C 2 = E(C 1 Å P 2 , K),… P 2 = C 1 Å D(C 2 , K),… • Analogous to classic codebook with additive

Garbled CBC message (in class)

CBC Mode • Identical plaintext blocks yield different ciphertext blocks • If C 1 is garbled to, say, G then P 1 ¹ C 0 Å D(G, K), P 2 ¹ G Å D(C 2 , K) • But P 3 = C 2 Å D(C 3 , K), P 4 = C 3 Å D(C 4 , K),… • Automatically recovers from errors! • Cut and paste is still possible, but more complex (and will cause garbles)

Alice Likes CBC Mode • Alice’s uncompressed image, Alice CBC encrypted (TEA) • Why does this happen? • Same plaintext yields different ciphertext!

Counter Mode (CTR) • CTR is popular for random access • Use block cipher like a stream cipher Encryption Decryption C 0 = P 0 Å E(IV, K), P 0 = C 0 Å E(IV, K), C 1 = P 1 Å E(IV+1, K), P 1 = C 1 Å E(IV+1, K), C 2 = P 2 Å E(IV+2, K),… P 2 = C 2 Å E(IV+2, K),…

Integrity

Data Integrity • Integrity ¾ detect unauthorized writing (i.e., modification of data) • Example: Inter-bank fund transfers – Confidentiality may be nice, integrity is critical • Encryption provides confidentiality – prevents unauthorized disclosure • Encryption alone does not provide integrity – One-time pad, ECB cut-and-paste, etc.

MAC • Message Authentication Code ( MAC ) – Used for data integrity – Integrity not the same as confidentiality • MAC is computed as CBC residue – That is, compute CBC encryption, saving only final ciphertext block, the MAC

MAC Computation • MAC computation (assuming N blocks) C 0 = E(IV Å P 0 , K), C 1 = E(C 0 Å P 1 , K), C 2 = E(C 1 Å P 2 , K),… C N - 1 = E(C N - 2 Å P N - 1 , K) = MAC • MAC sent with IV and plaintext • Receiver does same computation and verifies that result agrees with MAC • Note: receiver must know the key K

Corrupted MAC example (in class)