computer and network security

1
computer and network security

• matt barrie
• ltmattb_at_alumni.stanford.orggt

2
stream cyphers

• In a OTP, the secret key is the random n-bit
  stream.
• Stream cyphers replace this random stream with a
  pseudorandom bitstream.
• The secret key is the seed used to generate the
  pseudorandom stream.
• E(m, seed) m ? RNG(seed)
• D(c, seed) c ? RNG (seed)

seed
pseudo random stream
?
plaintext
cyphertext
3
security of stream cyphers

• Tradeoff perfect secrecy for ease of
  implementation / use.
• The security of the cypher is dependent on the
  security of the pseudorandom number generator.
• It should be computationally hard to determine
  either the seed or the next number in sequence.
• Since the random number generator is
  deterministic, the seed should only be used for
  one session.
• Stream cyphers are much faster than block
  cyphers.
• Two avoid using the same seed twice, we can
  encrypt it using stronger crypto and append to
  the ciphertext (to tell the other party)
• E(m, k) DES(seed, k) m ? RNG(seed)
• (strong)
  (fast)

4
pseudorandom number generators

• Linear Congruential Generators
• xn1 (axn b) mod c
• e.g. Unix rand() function
• a, b, c are constants
• Period of generator is less than c
• Cannot be used for security - easily predictable!
• Only need two values to reconstruct the internal
  state.
• Was used by an Internet casino who were so sure
  of their code, they published their algorithms!
• With expected results
• Moral of the story dont use!

5
linear feedback shift registers

• Linear Feedback Shift Registers (LFSRs)
• Seed is the initial value of the shift register
• Feedback network based on polynomials in finite
  fields
• Easy and fast in hardware
• Problem
• Tap configuration can be determined from 2n
  output bits

n bit shift register
6
rc4

• Wide applications in cryptography
• Based on permutations of a 256 byte array
• The seed is the initial value of the array
• RC4s key scheduling algorithm has problems
• i,j0
• while (1)
• i i 1 (mod 256)
• j j si (mod 256)
• swap (si, sj)
• t si sj (mod 256)
• output st

.
s
7
History of DES

• 1970s IBM Research Team led by Feistel devises a
  cypher called LUCIFER with a 128-bit message,
  cyphertext and keyspace.
• 1973 NBS (now NIST) asks for a proposed data
  encryption standard.
• 1974 IBM develops DES from LUCIFER.
• 1975 The NSA fixes DES
• shortens key to 56 bits (on 64 bit blocks)
• plays with S (substitution) boxes
• additional permutations
• 1977 DES adopted and heavily used to secure
  financial transactions.
• 1991 Biham Shamir discover modifications to
  DES resilient to differential cryptanalysis.
• 1993 Michael Wiener from Nortel theorises a
  USD1M machine could crack DES in 3.5 hours
  using off the shelf components
• 1997 DES cracked by brute force by
  Distributed.net in 96 days.

8
NSA

• Was the NSA playing the resource game?
• "NSA doesn't want a strong cryptosystem as a
  national standard, because it is afraid of not
  being able to read the messages. On the other
  hand, if NSA endorses a weak cryptographic system
  and is discovered, it will get a terrible black
  eye." - EFF 1998

9
DES

• Data Encryption Standard (DES)
• Block cypher (64-bit blocks, 56-bit key)
• 16-round Feistel network
• A particular construction which is reversible
• c DESk(m)
• m DESk(c)
• Note key schedule is reversed
• Operates in many different modes
• Worlds most heavily used and analysed cypher
• We still dont understand it properly after 25
  years
• The NSA knew more than we do now 20 years ago

10
feistel networks

• Ladder structure
• Input is split into two blocks, the left and
  right halves
• The functions f1 fk are arbitrary mappings
• f1 fk 0,1n ? 0,1n

left half
right half
l0
r0
each round li ri-1 ri li-1 ?
fi(ri-1) finally if rounds even then swap
halves
round 1 round 2 round 3
f1
l1
r1
f2
l2
r2
f3
r3
l3
11
feistel structure

• Express cypher as combination of successive round
  functions (can be any number of rounds)
• ?(f1, f2, f3)
• To decrypt, simply use the rounds in reverse
  order i.e.
• ?-1(f1, f2, , f2k-1) ?(f2k-1, , f2, f1)
• Round functions do not need to be invertible
• If fi are random functions then ?() is
  indistinguishable from a random permutation under
  a chosen plaintext attack
• This lets us turn any one-way function into a
  block cypher
• We can thus optimise round functions individually

12
DES structure
Initial permutation to discourage
software implementations (transposition)
Plaintext split into left and right halves (each
32 bits, expanded to 48)
P-boxes to confuse (permutation) S-boxes to
destroy (substitution) 16 rounds
Key schedule s1..s16 derived from key (each is 48
of 56 bits)
Inverse of initial permutation
13
DES internals

• 16 round Feistel network with functions f1 f16
  derived from the key (through the key scheduling
  algorithm)
• DES can be defined by the following equations
• M L0R0 L0 R0 32 bits
• Li Ri-1 16 rounds
• Ri Li-1 ? F(Ri-1, ki)
• C R16L16 output
• Each ki is the ith subkey derived from the key k
  according to a key schedule.

14
DES round functions

• The function F(x,ki) 0,132 x 0,148 ? 0,132

x (32 bits)
ki (48 bits)
48 bits
48 bits
S-box (substitution) nonlinear confuse
6 bits x 8
s1
s8
4 bits x 8
32 bits
P-box (permutation) destroy
P
15
avalanche effect in DES

• DES is designed so that a minor change in the key
  or the plaintext results in a dramatic change in
  the cyphertext.

Round Bit change in plaintext Bit change in
key (bits different in cyphertext) (bits
different in cyphertext) 0 1 0 1 6 2 2 21 14 3
35 28 4 39 32 5 34 30 6 32 32 7 31 35 8 29 3
4 9 42 40 10 44 38 11 32 31 12 30 33 13 30 28
14 26 26 15 29 34 16 34 35
Change quickly avalanches, so difference between
cyphertexts approaches that of any two chosen at
random (half the bits in error on average)
16
DES is broken

• DES has been found to hold up well against many
  forms of cryptanalysis, but fell to brute force.
• The problem is that Moores Law has caught up.
• Security is all about resources, and these
  resources ride the silicon curve.
• 1993 Michael Wiener theorises USD1M machine
  brute force in 3.5 hours.
• 1997 www.distributed.net 78,000 PCs brute force
  DES in 96 days.
• 1998 EFF Deep Crack machine (USD250k) and
  Distributed.net breaks in then than a
  day (3 days for the whole keyspace)
• 2001 Sub-USD1M custom chip machine brute force
  in under 30 minutes.

17
EFF DES cracker

• Based on low-volume gate array machine built with
  AWT
• Exploits Hardware parallelism
• 24 DES Search Units / Chip
• 64 Chips / Board (1800 chips total)
• 27 Boards total in 2 Sun VME Chasses
• DES performed in 16 cycles
• Clocked at 40MHz !
• 2.5 Million keys / second
• Total Cost (1997) USD250k
• Brute force keyspace in 3 days

18
cryptanalysis cost metrics

• 1993 Wieners theoretical machine 1.3 x 1010 d-s
• 1997 Distributed.net effort 6.5 x 1014 d-s
• Assuming 1000/machine!
• 1998 EFF Deep Crack 6.5 x 1010 d-s
• Moral of the story
• Highly parallel special purpose hardware is much
  more efficient that massively parallel general
  purpose processors.
• The Future?
• Cryptanalysis using modern FPGAs
• e.g. Xilinx Virtex-II Pro 125,000 CLBs and up
  to 4 PPC Cores _at_ 400MHz
• Gain efficiencies using highly-parallel arrays of
  crack cores
• FPGAs can clock _at_ 100-200MHz vs. 40MHz
• 4x higher densities
• Arbitrary function blocks in modern CLBs ideal
  for P/S-boxes
• Exhaust space in 3-7 hours for same cost as DES
  cracker?

19
DES modes of operation

• Electronic Code Book (ECB)
• Each 64 bit block is encrypted separately.
• Vulnerable to dictionary attacks.

plaintext
m0
Ek
Ek
Ek
Ek
Ek
Ek
c0
cyphertext
20
ECB properties

• Identical plaintext blocks result in identical
  cyphertext blocks
• Blocks are encyphered independently
• reordering cyphertext blocks results in reordered
  plaintext blocks
• ECB thus not recommended for messages gt 1 block
  or reuse over more than one message.
• Error Propagation one or more bit errors in a
  cyphertext block only affects the corresponding
  plaintext block
• In general for a typical cypher decryption for
  this block results in random plaintext (i.e. 50
  of plaintext in error)
• Can strengthen through the use of random padding
  bits

21
cypher block chaining (CBC)

• Cypher Block Chaining (CBC)
• Blocks are chained together
• IV is some predetermined value

plaintext
m0
IV
Ek
Ek
Ek
Ek
Ek
Ek
c0
cyphertext
22
CBC properties

• Identical plaintexts result in identical
  cyphertexts when the same plaintext is encyphered
  using the same key and IV.
• Changing one or more of k, IV or m0 affects this.
• Chaining dependencies
• Cyphertext cj dependends on m0 mj
• Rearrangement of cyphertext blocks affects
  decryption
• Error propagation
• Bit error in cyphertext cj affects decyphering of
  cj and cj1.
• Recovered block mj typically results in random
  bits
• Bit errors in recovered block mj1 are precisely
  where cj was in error.
• Attacker can cause predictable bit changes in
  mj1 by altering cj
• Bit Recovery
• CBC is self-synchronising or cyphertext autokey
  in that if a bit error occurs in cj but not cj1,
  then cj2 correctly decrypts to mj2

23
output feedback mode (OFM)

• Ouput Feedback Mode (OFM) (effectively a stream
  cypher)

plaintext
m0
Ek
Ek
Ek
Ek
Ek
Ek
IV
keystream
c0
cyphertext
24
properties of OFB

• Identical plaintexts result in identical
  cyphertexts when the same plaintext is encyphered
  using the same key and IV.
• Chaining dependencies
• The keystream is plaintext independent
• Error propagation
• one or more bit errors in any cyphertext block
  results only in decypherment of that block in the
  precise position of error
• Error recovery
• OFB recovers from cyphertext bit errors but not
  bit loss (results unalignment of keystream)
• Throughput
• Keystream may be independently calculated (e.g.
  precomputed)
• IV must be changed if the key is reused

25
evaluating block cyphers and modes

• Estimated Security Level
• Confidence grows the longer it has been openly
  analysed.
• Key Size
• An upper bound on the security of the cypher (ie.
  brute force).
• Longer keys have added costs to key generation,
  distribution, storage, difficulty to remember
  passwords, key recovery (!)
• Throughput
• Relates to affinity of design to implementation
• Block Size
• Larger is better but more costly
• Complexity of Cryptographic Mapping
• Data Expansion
• Error Propagation
• Effect of bit errors differs between cyphers and
  mode of operation

26
references

• Handbook of Applied Cryptography
• 7.1 - 7.4
• Stallings
• 3