Title: CS 5950/6030 Network Security Class 8 (M, 9/19/05)
1CS 5950/6030 Network SecurityClass 8 (M,
9/19/05)
Leszek Lilien Department of Computer
Science Western Michigan University Using some
slides prepared by Prof. Aaron Striegel at U.
of Notre Dame Prof. Barbara Endicott-Popovsky and
Prof. Deborah Frincke at U. Washington Prof.
Jussipekka Leiwo at Vrije Universiteit (Free
U.), Amsterdam, The Netherlands
22C. Making Good Ciphers
- Cipher encryption algorithm
- Outline
- 2C.1. Criteria for Good Ciphers
- 2C.2. Stream and Block Ciphers
- 2C.3. Cryptanalysis
- 2C.4. Symmetric and Asymm. Cryptosystems P.1
-
Class 6 Class 7
32C.2. Stream and Block Ciphers (1)
- Stream cipher 1 char from P ? 1 char for C
- Example polyalphabetic cipher
- ...
4- Correction of example from Class 7
5c. Block Ciphers (1)
- ...
- Block cipher
- 1 block of chars from P ? 1 block of chars for
C - Example of block cipher columnar transposition
- Block size o(message length) (informally)
6Block Ciphers (2)
- Why block size o(message length) ?
- Because must wait for almost the entire C
before can decode some characters near beginning
of P - E.g., for P HELLO WORLD, block size is
o(10) - Suppose that Key 3 (3 columns)
- C as sent (in the right-to-left order)
HEL LOW ORL DXX
7Block Ciphers (3)
- C as received (in the right-to-left order)
- R knows K 3, block size 12 (gt 4 rows)
- gt R knows that characters wil be sent in the
order - 1st-4th-7th-10th--2nd-5th-8th-11th--3rd-6th-
9th-12th - R must wait for at least
- 1 char of C to decode 1st char of P (h)
- 5 chars of C to decode 2nd char of P (he)
- 9 chars of C to decode 3rd, 4th, and 5th chars
of P (hello) - 10 chars of C to decode 6th, 7th, and 8th chars
of P (hello wor) - etc.
xlwlxroedolh
123 456 789 abc
a10 b11 c12
8Block Ciphers (4)
- Informally, we might call ciphers like the above
example columnar transposition cipher
weak-block ciphers - R can get some (even most) but not all chars of P
before entire C is received - R can get one char of P immediately
- the 1st-after 1 of C (delay of 1 - 1 0)
- R can get some chars of P with small delay
- e.g., 2nd-after 5 of C (delay of 5 - 2 3)
- R can get some chars of P with large delay
- e.g., 3rd-after 9 of C (delay of 9 3 6)
- There are block ciphers when R cannot even start
decoding C before receiving the entire C - Informally, we might call them strong-block
ciphers
92C.3. Cryptanalysis (1)
- What cryptanalysts do when confronted with
unknown? - ...
102C.4. Symmetric and Asymmetric
Cryptosystems (1)
- Symmetric encryption secret key encryption
- KE KD secret (private) key
- Only sender S and receiver R know the key
- As long as the key remains secret, it also
provides authentication ( proof of senders
identity)
cf. J. Leiwo
11Symmetric andAsymmetric Cryptosystems (2a)
- Problems with symmetric encryption
- Ensuring security of the key channel
- Need an efficient key distribution infrastructure
- A separate key needed for each communicating S-R
pair - For n communicating users, need
- n (n -1) /2 keys
12 13Section 2 Class 8 (1)
- 2. Introduction to Cryptology
- ...
- 2C. Making Good Ciphers
- ...
- 2C.2. Stream and Block Ciphers
- 2C.3. Cryptanalysis
- 2C.4. Symmetric and Asymm.
CryptosystemsPART 1 - 2C.4. Symmetric and Asymm.
CryptosystemsPART 2 - 2D. The DES (Data Encryption Standard)
Algorithm - 2D.1. Background and History of DES
- 2D.2. Overview of DES
- 2D.3. Double and Triple DES
- 2D.4. Security of DES
Class 7
Class 8
14Section 2 Class 8 (2)
- 2E. The Clipper Story
- 2F. The AES (Advanced Encryption Standard)
Algorithm - 2F.1. The AES Contest
-
15Symmetric andAsymmetric Cryptosystems (2b)
- Asymmetric encryption public key encryption
(PKE) - KE ? KD public and private keys
- PKE systems eliminate symmetric encr. problems
- Need no secure key distribution channel
- gt easy key distribution
16Symmetric andAsymmetric Cryptosystems (3)
- One PKE approach
- R keeps her private key KD
- R can distribute the correspoding public key KE
to anybody who wants to send encrypted msgs to
her - No need for secure channel to send KE
- Can even post the key on an open Web site it is
public! - Only private KD can decode msgs encoded with
public KE! - Anybody (KE is public) can encode
- Only owner of KD can decode
17Symmetric and Asymmetric Cryptosystems (4) Symm.
vs. Asymm. Key Algorithms
- Symmetric
- Key D E
- K kept secret
- K agreed upon between 2 parties in advance
- Like using a simple
- safe (with one door)
- Need safe key to deposit doc in safe
- Need safe key to get doc from safe
- Asymmetric
- Key pair ltE, Dgt, D ? E
- D kept secret
- E public (usually or known to n users)
- E distributed to k users before first
communication (by owner of D) - Like using a safe with locked deposit slot
- Need deposit slot key to slide doc into safe
- Need safe door key to get doc from safe
Symmetric - cf. Barbara Endicott-Popovsky, U.
Washington, Source D. Frincke, U. of Idaho
18Symmetric and Asymmetric Cryptosystems (5)
Need for Key Management
- Private key must be carefully managed in both SE
and PKE (asymm.) cryptosystems - Storing / safeguarding / activating-deactivating
- Keys can expire - e.g. to take a key
- away from a fired employee
- Public key must be carefully distributed in PKE
systems - gt Key management is a major issue
cf. A. Striegel
192D. DES (Data Encryption Standard)
- Outline
- 2D.1. Background and History of DES
- 2D.2. Overview of DES
- 2D.3. Double and Triple DES
- 2D.4. Security of DES
202D.1. Background and History of DES (1)
- Early 1970s - NBS (Natl Bureau of Standards)
recognized general publics need for a secure
crypto system - NBS part of US govt / Now NIST Natl Inst.
of Stands Technology - Encryption for the masses A.
Striegel - Existing US govt crypto systems were not meant
to be made public - E.g. DoD, State Dept.
- Problems with proliferation of commercial
encryption devices - Incompatible
- Not extensively tested by independent body
21Background and History of DES (2)
- 1972 - NBS calls for proposals for a public
crypto system - Criteria
- Highly secure / easy to understand / publishable
/ - available to all / adaptable to diverse apps /
- economical / efficient to use / able to be
validated / - exportable
- In truth Not too strong (for NSA, etc.)
- 1974 IBM proposed its Lucifer
- DES based on it
- Tested by NSA (Natl Security Agency) and the
general public - Nov. 1976 DES adopted as US standard for
sensitive but unclassified data / communication - Later adopted by ISO (Intl Standards
Organization) - Official name DEA - Data Encryption Algorithm /
DEA-1 abroad
222D.2. Overview of DES (1)
- DES - a block cipher
- a product cipher
- 16 rounds (iterations) on the input bits (of P)
- substitutions (for confusion) and
- permutations (for diffusion)
- Each round with a round key
- Generated from the user-supplied key
- Easy to implement in S/W or H/W
cf. Barbara Endicott-Popovsky, U. Washington
23Overview of DES (2) Basic Structure
- Input 64 bits (a block)
- Li/Ri left/right half of the input block for
iteration i (32 bits) subject to substitution S
and permutation P (cf. Fig 2-8 text) - K - user-supplied key
- Ki - round key
- 56 bits used 8 unused
- (unused for E but often used for error checking)
- Output 64 bits (a block)
- Note Ri becomes L(i1)
- All basic ops are simple logical ops
- Left shift / XOR
Fig. cf. J. Leiwo
24Overview of DES (3) - Generation of Round Keys
- key user-supplied key (input)
- PC-1, PC-2 permutation tables
- PC-2 also extracts 48 of 56 bits
- K1 K16 round keys (outputs)
- Length(Ki) 48
- Ci / Di confusion / diffusion (?)
- LSH left shift (rotation) tables
Fig cf. Barbara Endicott-Popovsky, U.
Washington
25Overview of DES (4) - Problems with DES
- Diffie, Hellman 1977 prediction In a few
years, technology would allow DES to be broken in
days. - Key length is fixed ( 56)
- 256 keys 1015 keys
- Becoming too short for faster computers
- 1997 3,500 machines 4 months
- 1998 special DES cracker h/w 4 days
- Design decisions not public
- Suspected of having backdoors
- Speculation To facilitate government access?
262D.3. Double and Triple DES (1)
- Double DES
- Use double DES encryption
- C E(k2, E(k1, P) )
- Expected to multiply difficulty of breaking the
encryption - Not true!
- In general, 2 encryptions are not better than one
- Merkle, Hellman, 1981
- Only doubles the attackers work
27Double and Triple DES (2)
- Triple DES
- Is it C E(k3, E(k2, E(k1, P) ) ?
- Not soooo simple!
28Double and Triple DES (3)
- Triple DES
- Tricks used
- D not E in the 2nd step, k1 used twice (in steps
1 3) - It is
- C E(k1, D(k2, E(k1, P) )
- and
- P D(k1, E(k2, D(k1, C) )
- Doubles the effective key length
- 112-bit key is quite strong
- Even for todays computers
- For all feasible known attacks
292D.4. Security of DES
- So, is DES insecure?
- No, not yet
- 1997 attack required a lot of coperation
- The 1998 special-purpose machine is still very
expensive - Triple DES still beyong the reach of these 2
attacks - But ...
- In 1995, NIST (formerly NBS) began search for new
strong encryption standard
302E. The Clipper Story (1)
- ... Or How not to set up a standard
- A scenario
- Only a single electronic copy of a corporations
crucial (and sensitive) document - To prevent espionage, strong encryption used to
protect that document - Only CEO knows the key
- CEO gets hit by a truck
- Is the document lost forever?
- Key escrow (a depository) facilitates recovery of
the document if the key is lost
cf. J. Leiwo
31The Clipper Story (2)
- 1993 - Clipper - U.S. Governments attempt to
mandate key escrow - Secret algorithm, invented by National Security
Agency - Only authorities, can recover any communications
- Add an escrow key and split into halves
- Give each half to a different authority
- If there is a search warrant, authorities can
combine their halves and recover intercepted
communication - Of course, government will use it for legitimate
purposes only
cf. J. Leiwo
32The Clipper Story (3)
- Clipper failed big time
- Classified algorithm, h/w (Clipper chip)
implements only - Equipment AND keys provided by the government
- No export of equipment
- Public relations disaster
- Electronic civil liberties" organizations (incl.
Electronic Privacy Information Center
Electronic Frontier Foundation) challenged the
Clipper chip proposal - Their claims
- It would subject citizens to increased, possibly
illegal, government surveillance - strength of encryption could not be evaluated by
the public (bec. secret algorithm) might be
insecure
above -cf. J. Leiwo
332F. AES
- ... Or How to set up a standard
- AES Advanced Encryption Standard
- Outline
- 2F.1. The AES Contest
- 2F.2. Overview of Rijndael
- 2F.3. Strength of AES
- 2F.4. Comparison of DES and AES
342F.1. The AES Contest (1)
- 1997 NIST calls for proposals NIST
- Criteria
- Unclassifed code
- Publicly disclosed
- Royalty-free worldwide
- Symmetric block cipher for 128-bit blocks
- Usable with keys of 128, 192, and 256 bits
- 1998 15 algorithms selected
(Natl Institute of Standards and Technology)
35The AES Contest (2)
- 1999 5 finalists cf. J. Leiwo
- MARS by IBM
- RC6 by RSA Laboratories
- Rijndael by Joan Daemen and Vincent Rijmen
- Serpent by Ross Anderson, Eli Biham and Lars
Knudsen - Twofish by Bruce Schneier, John Kelsey, Doug
Whiting, Dawid Wagner, Chris Hall and Niels
Ferguson - Evaluation of finalists
- Public and private scrutiny
- Key evaluation areas
- security / cost or efficiency of operation /
- ease of software implementation
36The AES Contest (3)
- 2001- and the winner is
- Rijndael (RINE-dahl)
- Authors Vincent Rijmen Joan Daemen
- Adopted by US govt as
- Federal Info Processing Standard 197 (FIPS
197)
37