Cryptography and Network Security Chapter 5

1
Cryptography and Network Security Chapter 5 7

• Dr. Orest Pilskalns

2
Chapter 5 Advanced Encryption Standard

• "It seems very simple."
• "It is very simple. But if you don't know what
  the key is it's virtually indecipherable."
• Talking to Strange Men, Ruth Rendell

3
Review

• What is an modular inverse?
• b.b-11 (mod m)
• example 3 x 1 mod 7
• x -2
• -6 1 mod 7
• Why? 7 goes into -6 (-1 times) so -6-(-7) 1

4
How do we calculate the modular inverse?

• 1234 mod 4321 (whats the inverse)
• Extended Euclidean Algorithm
• gcd 4321 1234
• gcd 1234 619
• gcd 619 615
• gcd 615 4
• gcd 4 3
• gcd 3 1
• gcd 1 0

5
Extended Euclidean Continued

• Extended-Euclid(a,b)
• if b0 return (1,0,a)
• (x,y,d) Extended-Euclid(b,a mod b)
• return (y,x floor(a/b) y,d)
• (1,0,1) ? x 0, y 1-3/1 (0) 1, z 1 (a3,
  b1)
• (0,1,1) ? x 1, y 0 4/3 (1) -1, z 1
  (a4, b3)
• (1,-1,1)? x -1, y 1 615/4 (-1) 154, z 1
  (a615,154)
• (-1, 154, 1) ? x 152, y -1 (619/615) 154
  -155, z 1 (a619, b615)
• (154, -155, 1) ? x 154, 154 (1234/619) -155
  309, z 1 (a1234, b619)
• (-155,309,1) ? x 309, -155 (4321,1234) 309
  -1082, z1 (a4321, 1234)
• -1082 1234 1 mod 4321
• 309 4321 1 mod 1234

6
Review Continued

• Inverse of x3 x 1 in GF(24),
• Use m(x) x4 x 1 (irreducible polynomial)
• Need to use Euclids Extended Algorithm
• Extended-Euclid(a,b)
• if b0 return (1,0,a)
• (x,y,d) Extended-Euclid(b,a mod b)
• return (y,x floor(a/b) y,d)
• GCD(x4 x 1, x3 x 1) x Remainder x21
• GCD(x3 x 1, x21) x Remainder 1
• GCD(x21, 1) x2 Remainder 0
• GCD(x2,0) (thus b 0) so return (1,0, 1)

7
Review Continued

• Extended-Euclid(a,b)
• if b0 return (1,0,a)
• (x,y,d) Extended-Euclid(b,a mod b)
• return (y,x floor(a/b) y,d)
• (1,0, 1) ? x 0, y 1-(x21/1)(0) 1, z 1
• (0,1, 1) ? x 1, y 0 (x3 x1/ x21)1, z1
• (1,-x,1)? x -x, y 1 (x4x1/ x3x1)(-x),
  z1
• (-x, x21,1)

8
Origins

• clear a replacement for DES was needed
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• can use Triple-DES but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001

9
AES Requirements

• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger faster than Triple-DES
• active life of 20-30 years ( archival use)
• provide full specification design details
• both C Java implementations
• NIST have released all submissions unclassified
  analyses

10
AES Evaluation Criteria

• initial criteria
• security effort for practical cryptanalysis
• cost in terms of computational efficiency
• algorithm implementation characteristics
• final criteria
• general security
• ease of software hardware implementation
• implementation attacks
• flexibility (in en/decrypt, keying, other factors)

11
AES Shortlist

• after testing and evaluation, shortlist in
  Aug-99
• MARS (IBM) - complex, fast, high security margin
• RC6 (USA) - v. simple, v. fast, low security
  margin
• Rijndael (Belgium) - clean, fast, good security
  margin
• Serpent (Euro) - slow, clean, v. high security
  margin
• Twofish (USA) - complex, v. fast, high security
  margin
• then subject to further analysis comment
• saw contrast between algorithms with
• few complex rounds verses many simple rounds
• which refined existing ciphers verses new
  proposals

12
The AES Cipher - Rijndael

• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than feistel cipher
• processes data as block of 4 columns of 4 bytes
• operates on entire data block in every round
• designed to be
• resistant against known attacks
• speed and code compactness on many CPUs
• design simplicity

13
Rijndael

• data block of 4 columns of 4 bytes is state
• key is expanded to array of words
• has 9/11/13 rounds in which state undergoes
• byte substitution (1 S-box used on every byte)
• shift rows (permute bytes between groups/columns)
  
• mix columns (subs using matrix multipy of groups)
  
• add round key (XOR state with key material)
• view as alternating XOR key scramble data bytes
• initial XOR key material incomplete last round
• with fast XOR table lookup implementation

14
Rijndael
15
Byte Substitution

• a simple substitution of each byte
• uses one table of 16x16 bytes containing a
  permutation of all 256 8-bit values
• each byte of state is replaced by byte indexed by
  row (left 4-bits) column (right 4-bits)
• eg. byte 95 is replaced by byte in row 9 column
  5
• which has value 2A
• S-box constructed using defined transformation of
  values in GF(28)
• designed to be resistant to all known attacks

16
Byte Substitution
17
Shift Rows

• a circular byte shift in each each
• 1st row is unchanged
• 2nd row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step
  permutes bytes between the columns

18
Shift Rows
19
Mix Columns

• each column is processed separately
• each byte is replaced by a value dependent on all
  4 bytes in the column
• effectively a matrix multiplication in GF(28)
  using prime poly m(x) x8x4x3x1

20
Mix Columns
21
Mix Columns

• can express each col as 4 equations
• to derive each new byte in col
• decryption requires use of inverse matrix
• with larger coefficients, hence a little harder
• have an alternate characterisation
• each column a 4-term polynomial
• with coefficients in GF(28)
• and polynomials multiplied modulo (x41)

22
Add Round Key

• XOR state with 128-bits of the round key
• again processed by column (though effectively a
  series of byte operations)
• inverse for decryption identical
• since XOR own inverse, with reversed keys
• designed to be as simple as possible
• a form of Vernam cipher on expanded key
• requires other stages for complexity / security

23
Add Round Key
24
AES Round
25
AES Key Expansion

• takes 128-bit (16-byte) key and expands into
  array of 44/52/60 32-bit words
• start by copying key into first 4 words
• then loop creating words that depend on values in
  previous 4 places back
• in 3 of 4 cases just XOR these together
• 1st word in 4 has rotate S-box XOR round
  constant on previous, before XOR 4th back

26
AES Key Expansion
27
Key Expansion Rationale

• designed to resist known attacks
• design criteria included
• knowing part key insufficient to find many more
• invertible transformation
• fast on wide range of CPUs
• use round constants to break symmetry
• diffuse key bits into round keys
• enough non-linearity to hinder analysis
• simplicity of description

28
AES Decryption

• AES decryption is not identical to encryption
  since steps done in reverse
• but can define an equivalent inverse cipher with
  steps as for encryption
• but using inverses of each step
• with a different key schedule
• works since result is unchanged when
• swap byte substitution shift rows
• swap mix columns add (tweaked) round key

29
AES Decryption
30
Implementation Aspects

• can efficiently implement on 8-bit CPU
• byte substitution works on bytes using a table of
  256 entries
• shift rows is simple byte shift
• add round key works on byte XORs
• mix columns requires matrix multiply in GF(28)
  which works on byte values, can be simplified to
  use table lookups byte XORs

31
Implementation Aspects

• can efficiently implement on 32-bit CPU
• redefine steps to use 32-bit words
• can precompute 4 tables of 256-words
• then each column in each round can be computed
  using 4 table lookups 4 XORs
• at a cost of 4Kb to store tables
• designers believe this very efficient
  implementation was a key factor in its selection
  as the AES cipher

32
Summary

• have considered
• the AES selection process
• the details of Rijndael the AES cipher
• looked at the steps in each round
• the key expansion
• implementation aspects

33
Cryptography and Network Security - Chapter 7

• Dr. Orest Pilskalns

34
Chapter 7 Confidentiality UsingSymmetric
Encryption

• John wrote the letters of the alphabet under the
  letters in its first lines and tried it against
  the message. Immediately he knew that once more
  he had broken the code. It was extraordinary the
  feeling of triumph he had. He felt on top of the
  world. For not only had he done it, had he broken
  the July code, but he now had the key to every
  future coded message, since instructions as to
  the source of the next one must of necessity
  appear in the current one at the end of each
  month.
• Talking to Strange Men, Ruth Rendell

35
Confidentiality using Symmetric Encryption

• traditionally symmetric encryption is used to
  provide message confidentiality

36
Placement of Encryption

• have two major placement alternatives
• link encryption
• encryption occurs independently on every link
• implies must decrypt traffic between links
• requires many devices, but paired keys
• end-to-end encryption
• encryption occurs between original source and
  final destination
• need devices at each end with shared keys

37
Placement of Encryption
38
Placement of Encryption

• when using end-to-end encryption must leave
  headers in clear
• so network can correctly route information
• hence although contents protected, traffic
  pattern flows are not
• ideally want both at once
• end-to-end protects data contents over entire
  path and provides authentication
• link protects traffic flows from monitoring

39
Placement of Encryption

• can place encryption function at various layers
  in OSI Reference Model
• link encryption occurs at layers 1 or 2
• end-to-end can occur at layers 3, 4, 6, 7
• as move higher less information is encrypted but
  it is more secure though more complex with more
  entities and keys

40
Encryption vs Protocol Level
41
Traffic Analysis

• is monitoring of communications flows between
  parties
• useful both in military commercial spheres
• can also be used to create a covert channel
• link encryption obscures header details
• but overall traffic volumes in networks and at
  end-points is still visible
• traffic padding can further obscure flows
• but at cost of continuous traffic

42
Key Distribution

• symmetric schemes require both parties to share a
  common secret key
• issue is how to securely distribute this key
• often secure system failure due to a break in the
  key distribution scheme

43
Key Distribution

• given parties A and B have various key
  distribution alternatives
• A can select key and physically deliver to B
• third party can select deliver key to A B
• if A B have communicated previously can use
  previous key to encrypt a new key
• if A B have secure communications with a third
  party C, C can relay key between A B

44
Key Hierarchy

• typically have a hierarchy of keys
• session key
• temporary key
• used for encryption of data between users
• for one logical session then discarded
• master key
• used to encrypt session keys
• shared by user key distribution center

45
Key Distribution Scenario
46
Key Distribution Issues

• hierarchies of KDCs required for large networks,
  but must trust each other
• session key lifetimes should be limited for
  greater security
• use of automatic key distribution on behalf of
  users, but must trust system
• use of decentralized key distribution
• controlling key usage

47
Random Numbers

• many uses of random numbers in cryptography
• nonces in authentication protocols to prevent
  replay
• session keys
• public key generation
• keystream for a one-time pad
• in all cases its critical that these values be
• statistically random, uniform distribution,
  independent
• unpredictability of future values from previous
  values

48
Pseudorandom Number Generators (PRNGs)

• often use deterministic algorithmic techniques to
  create random numbers
• although are not truly random
• can pass many tests of randomness
• known as pseudorandom numbers
• created by Pseudorandom Number Generators
  (PRNGs)

49
Linear CongruentialGenerator

• common iterative technique using
• Xn1 (aXn c) mod m
• given suitable values of parameters can produce a
  long random-like sequence
• suitable criteria to have are
• function generates a full-period
• generated sequence should appear random
• efficient implementation with 32-bit arithmetic
• note that an attacker can reconstruct sequence
  given a small number of values
• have possibilities for making this harder

50
Using Block Ciphers as PRNGs

• for cryptographic applications, can use a block
  cipher to generate random numbers
• often for creating session keys from master key
• Counter Mode
• Xi EKmi
• Output Feedback Mode
• Xi EKmXi-1

51
ANSI X9.17 PRG
52
Blum Blum Shub Generator

• based on public key algorithms
• use least significant bit from iterative
  equation
• xi xi-12 mod n
• where np.q, and primes p,q3 mod 4
• unpredictable, passes next-bit test
• security rests on difficulty of factoring N
• is unpredictable given any run of bits
• slow, since very large numbers must be used
• too slow for cipher use, good for key generation

53
Natural Random Noise

• best source is natural randomness in real world
• find a regular but random event and monitor
• do generally need special h/w to do this
• eg. radiation counters, radio noise, audio noise,
  thermal noise in diodes, leaky capacitors,
  mercury discharge tubes etc
• starting to see such h/w in new CPU's
• problems of bias or uneven distribution in signal
  
• have to compensate for this when sample and use
• best to only use a few noisiest bits from each
  sample

54
Published Sources

• a few published collections of random numbers
• Rand Co, in 1955, published 1 million numbers
• generated using an electronic roulette wheel
• has been used in some cipher designs cf Khafre
• earlier Tippett in 1927 published a collection
• issues are that
• these are limited
• too well-known for most uses

55
Summary

• have considered
• use and placement of symmetric encryption to
  protect confidentiality
• need for good key distribution
• use of trusted third party KDCs
• random number generation issues