CS 5950/6030 Network Security Class 8 (M, 9/19/05)

1
CS 5950/6030 Network SecurityClass 8 (M,
9/19/05)
Leszek Lilien Department of Computer
Science Western Michigan University Using some
slides prepared by Prof. Aaron Striegel at U.
of Notre Dame Prof. Barbara Endicott-Popovsky and
Prof. Deborah Frincke at U. Washington Prof.
Jussipekka Leiwo at Vrije Universiteit (Free
U.), Amsterdam, The Netherlands
2
2C. Making Good Ciphers

• Cipher encryption algorithm
• Outline
• 2C.1. Criteria for Good Ciphers
• 2C.2. Stream and Block Ciphers
• 2C.3. Cryptanalysis
• 2C.4. Symmetric and Asymm. Cryptosystems P.1

Class 6 Class 7
3
2C.2. Stream and Block Ciphers (1)

• Stream cipher 1 char from P ? 1 char for C
• Example polyalphabetic cipher
• ...

4

• Correction of example from Class 7

5
c. Block Ciphers (1)

• ...
• Block cipher
• 1 block of chars from P ? 1 block of chars for
  C
• Example of block cipher columnar transposition
• Block size o(message length) (informally)

6
Block Ciphers (2)

• Why block size o(message length) ?
• Because must wait for almost the entire C
  before can decode some characters near beginning
  of P
• E.g., for P HELLO WORLD, block size is
  o(10)
• Suppose that Key 3 (3 columns)
• C as sent (in the right-to-left order)

HEL LOW ORL DXX
7
Block Ciphers (3)

• C as received (in the right-to-left order)
• R knows K 3, block size 12 (gt 4 rows)
• gt R knows that characters wil be sent in the
  order
• 1st-4th-7th-10th--2nd-5th-8th-11th--3rd-6th-
  9th-12th
• R must wait for at least
• 1 char of C to decode 1st char of P (h)
• 5 chars of C to decode 2nd char of P (he)
• 9 chars of C to decode 3rd, 4th, and 5th chars
  of P (hello)
• 10 chars of C to decode 6th, 7th, and 8th chars
  of P (hello wor)
• etc.

xlwlxroedolh
123 456 789 abc
a10 b11 c12
8
Block Ciphers (4)

• Informally, we might call ciphers like the above
  example columnar transposition cipher
  weak-block ciphers
• R can get some (even most) but not all chars of P
  before entire C is received
• R can get one char of P immediately
• the 1st-after 1 of C (delay of 1 - 1 0)
• R can get some chars of P with small delay
• e.g., 2nd-after 5 of C (delay of 5 - 2 3)
• R can get some chars of P with large delay
• e.g., 3rd-after 9 of C (delay of 9 3 6)
• There are block ciphers when R cannot even start
  decoding C before receiving the entire C
• Informally, we might call them strong-block
  ciphers

9
2C.3. Cryptanalysis (1)

• What cryptanalysts do when confronted with
  unknown?
• ...

10
2C.4. Symmetric and Asymmetric
Cryptosystems (1)

• Symmetric encryption secret key encryption
• KE KD secret (private) key
• Only sender S and receiver R know the key
• As long as the key remains secret, it also
  provides authentication ( proof of senders
  identity)

cf. J. Leiwo
11
Symmetric andAsymmetric Cryptosystems (2a)

• Problems with symmetric encryption
• Ensuring security of the key channel
• Need an efficient key distribution infrastructure
• A separate key needed for each communicating S-R
  pair
• For n communicating users, need
• n (n -1) /2 keys

12

• Class 7 ended here

13
Section 2 Class 8 (1)

• 2. Introduction to Cryptology
• ...
• 2C. Making Good Ciphers
• ...
• 2C.2. Stream and Block Ciphers
• 2C.3. Cryptanalysis
• 2C.4. Symmetric and Asymm.
  CryptosystemsPART 1
• 2C.4. Symmetric and Asymm.
  CryptosystemsPART 2
• 2D. The DES (Data Encryption Standard)
  Algorithm
• 2D.1. Background and History of DES
• 2D.2. Overview of DES
• 2D.3. Double and Triple DES
• 2D.4. Security of DES

Class 7
Class 8
14
Section 2 Class 8 (2)

• 2E. The Clipper Story
• 2F. The AES (Advanced Encryption Standard)
  Algorithm
• 2F.1. The AES Contest

15
Symmetric andAsymmetric Cryptosystems (2b)

• Asymmetric encryption public key encryption
  (PKE)
• KE ? KD public and private keys
• PKE systems eliminate symmetric encr. problems
• Need no secure key distribution channel
• gt easy key distribution

16
Symmetric andAsymmetric Cryptosystems (3)

• One PKE approach
• R keeps her private key KD
• R can distribute the correspoding public key KE
  to anybody who wants to send encrypted msgs to
  her
• No need for secure channel to send KE
• Can even post the key on an open Web site it is
  public!
• Only private KD can decode msgs encoded with
  public KE!
• Anybody (KE is public) can encode
• Only owner of KD can decode

17
Symmetric and Asymmetric Cryptosystems (4) Symm.
vs. Asymm. Key Algorithms

• Symmetric
• Key D E
• K kept secret
• K agreed upon between 2 parties in advance
• Like using a simple
• safe (with one door)
• Need safe key to deposit doc in safe
• Need safe key to get doc from safe

• Asymmetric
• Key pair ltE, Dgt, D ? E
• D kept secret
• E public (usually or known to n users)
• E distributed to k users before first
  communication (by owner of D)
• Like using a safe with locked deposit slot
• Need deposit slot key to slide doc into safe
• Need safe door key to get doc from safe

Symmetric - cf. Barbara Endicott-Popovsky, U.
Washington, Source D. Frincke, U. of Idaho
18
Symmetric and Asymmetric Cryptosystems (5)
Need for Key Management

• Private key must be carefully managed in both SE
  and PKE (asymm.) cryptosystems
• Storing / safeguarding / activating-deactivating
• Keys can expire - e.g. to take a key
• away from a fired employee
• Public key must be carefully distributed in PKE
  systems
• gt Key management is a major issue

cf. A. Striegel
19
2D. DES (Data Encryption Standard)

• Outline
• 2D.1. Background and History of DES
• 2D.2. Overview of DES
• 2D.3. Double and Triple DES
• 2D.4. Security of DES

20
2D.1. Background and History of DES (1)

• Early 1970s - NBS (Natl Bureau of Standards)
  recognized general publics need for a secure
  crypto system
• NBS part of US govt / Now NIST Natl Inst.
  of Stands Technology
• Encryption for the masses A.
  Striegel
• Existing US govt crypto systems were not meant
  to be made public
• E.g. DoD, State Dept.
• Problems with proliferation of commercial
  encryption devices
• Incompatible
• Not extensively tested by independent body

21
Background and History of DES (2)

• 1972 - NBS calls for proposals for a public
  crypto system
• Criteria
• Highly secure / easy to understand / publishable
  /
• available to all / adaptable to diverse apps /
• economical / efficient to use / able to be
  validated /
• exportable
• In truth Not too strong (for NSA, etc.)
• 1974 IBM proposed its Lucifer
• DES based on it
• Tested by NSA (Natl Security Agency) and the
  general public
• Nov. 1976 DES adopted as US standard for
  sensitive but unclassified data / communication
• Later adopted by ISO (Intl Standards
  Organization)
• Official name DEA - Data Encryption Algorithm /
  DEA-1 abroad

22
2D.2. Overview of DES (1)

• DES - a block cipher
• a product cipher
• 16 rounds (iterations) on the input bits (of P)
• substitutions (for confusion) and
• permutations (for diffusion)
• Each round with a round key
• Generated from the user-supplied key
• Easy to implement in S/W or H/W

cf. Barbara Endicott-Popovsky, U. Washington
23
Overview of DES (2) Basic Structure

• Input 64 bits (a block)
• Li/Ri left/right half of the input block for
  iteration i (32 bits) subject to substitution S
  and permutation P (cf. Fig 2-8 text)
• K - user-supplied key
• Ki - round key
• 56 bits used 8 unused
• (unused for E but often used for error checking)
• Output 64 bits (a block)
• Note Ri becomes L(i1)
• All basic ops are simple logical ops
• Left shift / XOR

Fig. cf. J. Leiwo
24
Overview of DES (3) - Generation of Round Keys

• key user-supplied key (input)
• PC-1, PC-2 permutation tables
• PC-2 also extracts 48 of 56 bits
• K1 K16 round keys (outputs)
• Length(Ki) 48
• Ci / Di confusion / diffusion (?)
• LSH left shift (rotation) tables

Fig cf. Barbara Endicott-Popovsky, U.
Washington
25
Overview of DES (4) - Problems with DES

• Diffie, Hellman 1977 prediction In a few
  years, technology would allow DES to be broken in
  days.
• Key length is fixed ( 56)
• 256 keys 1015 keys
• Becoming too short for faster computers
• 1997 3,500 machines 4 months
• 1998 special DES cracker h/w 4 days
• Design decisions not public
• Suspected of having backdoors
• Speculation To facilitate government access?

26
2D.3. Double and Triple DES (1)

• Double DES
• Use double DES encryption
• C E(k2, E(k1, P) )
• Expected to multiply difficulty of breaking the
  encryption
• Not true!
• In general, 2 encryptions are not better than one
• Merkle, Hellman, 1981
• Only doubles the attackers work

27
Double and Triple DES (2)

• Triple DES
• Is it C E(k3, E(k2, E(k1, P) ) ?
• Not soooo simple!

28
Double and Triple DES (3)

• Triple DES
• Tricks used
• D not E in the 2nd step, k1 used twice (in steps
  1 3)
• It is
• C E(k1, D(k2, E(k1, P) )
• and
• P D(k1, E(k2, D(k1, C) )
• Doubles the effective key length
• 112-bit key is quite strong
• Even for todays computers
• For all feasible known attacks

29
2D.4. Security of DES

• So, is DES insecure?
• No, not yet
• 1997 attack required a lot of coperation
• The 1998 special-purpose machine is still very
  expensive
• Triple DES still beyong the reach of these 2
  attacks
• But ...
• In 1995, NIST (formerly NBS) began search for new
  strong encryption standard

30
2E. The Clipper Story (1)

• ... Or How not to set up a standard
• A scenario
• Only a single electronic copy of a corporations
  crucial (and sensitive) document
• To prevent espionage, strong encryption used to
  protect that document
• Only CEO knows the key
• CEO gets hit by a truck
• Is the document lost forever?
• Key escrow (a depository) facilitates recovery of
  the document if the key is lost

cf. J. Leiwo
31
The Clipper Story (2)

• 1993 - Clipper - U.S. Governments attempt to
  mandate key escrow
• Secret algorithm, invented by National Security
  Agency
• Only authorities, can recover any communications
• Add an escrow key and split into halves
• Give each half to a different authority
• If there is a search warrant, authorities can
  combine their halves and recover intercepted
  communication
• Of course, government will use it for legitimate
  purposes only

cf. J. Leiwo
32
The Clipper Story (3)

• Clipper failed big time
• Classified algorithm, h/w (Clipper chip)
  implements only
• Equipment AND keys provided by the government
• No export of equipment
• Public relations disaster
• Electronic civil liberties" organizations (incl.
  Electronic Privacy Information Center
  Electronic Frontier Foundation) challenged the
  Clipper chip proposal
• Their claims
• It would subject citizens to increased, possibly
  illegal, government surveillance
• strength of encryption could not be evaluated by
  the public (bec. secret algorithm) might be
  insecure

above -cf. J. Leiwo
33
2F. AES

• ... Or How to set up a standard
• AES Advanced Encryption Standard
• Outline
• 2F.1. The AES Contest
• 2F.2. Overview of Rijndael
• 2F.3. Strength of AES
• 2F.4. Comparison of DES and AES

34
2F.1. The AES Contest (1)

• 1997 NIST calls for proposals NIST
• Criteria
• Unclassifed code
• Publicly disclosed
• Royalty-free worldwide
• Symmetric block cipher for 128-bit blocks
• Usable with keys of 128, 192, and 256 bits
• 1998 15 algorithms selected

(Natl Institute of Standards and Technology)
35
The AES Contest (2)

• 1999 5 finalists cf. J. Leiwo
• MARS by IBM
• RC6 by RSA Laboratories
• Rijndael by Joan Daemen and Vincent Rijmen
• Serpent by Ross Anderson, Eli Biham and Lars
  Knudsen
• Twofish by Bruce Schneier, John Kelsey, Doug
  Whiting, Dawid Wagner, Chris Hall and Niels
  Ferguson
• Evaluation of finalists
• Public and private scrutiny
• Key evaluation areas
• security / cost or efficiency of operation /
• ease of software implementation

36
The AES Contest (3)

• 2001- and the winner is
• Rijndael (RINE-dahl)
• Authors Vincent Rijmen Joan Daemen
• Adopted by US govt as
• Federal Info Processing Standard 197 (FIPS
  197)

37

• End of Class 8