ELEC5616 computer and network security

1
ELEC5616computer and network security

• matt barrie
• mattb_at_ee.usyd.edu.au

2
pseudorandom number generators

• Sources of random numbers are desirable in many
  applications
• Session keys
• Deck shuffling
• Challenges
• Nonces
• Unfortunately truly random sources are not easy
  to come by
• Thermal noise in electric circuits
• Timing of Geiger counter clicks
• Instead applications need to make do with a
  pseudorandom number generator (PRNG).

3
pseudorandom number generators

• Desirable properties of PRNGs are
• Repeatability
• Statistical randomness
• Long period/cycle
• Insensitive to seeds
• PRNGs are often broken by
• Statistical tests to find patterns or bias in the
  output sequence
• Inferring the state of internal registers from
  the output sequence
• PRNGs are usually critically important parts of
  the system, and often a single point of failure

4
linear congruential generators

• Linear Congruential Generators
• xn1 (axn b) mod c
• e.g. Unix rand() function
• a, b, c are constants
• Period of generator is less than c
• Cannot be used for security - easily predictable!
• Only need two consecutive values to reconstruct
  the internal state.
• Was used by an Internet casino who were so sure
  of their code, they published their algorithms!
• With expected results
• Moral of the story dont use it!

5
linear feedback shift registers

• Linear Feedback Shift Registers (LFSRs)
• Seed is the initial value of the shift register
• Feedback network based on polynomials over finite
  fields
• Easy and very fast in hardware (1 bit per clock)
• Problem
• Tap configuration can be determined from 2n
  output bits

n bit shift register
6
rc4

• Wide applications in cryptography
• Based on permutations of a 256 byte array
• The seed is the initial value of the array
• RC4s key scheduling algorithm has problems (WEP
  weakness)
• i,j0
• while (1)
• i i 1 (mod 256)
• j j si (mod 256)
• swap (si, sj)
• t si sj (mod 256)
• output st

.
s
7
other PRNGs

• ANSI X9.17
• Based on 3DES
• DSA PRNG
• Based on SHA or DES
• RSAREF PRNG
• Based on MD5 hashing and addition modulo 2128

8
using PRNGs

• Be extremely careful with PRNG seeds!
• Hash PRNG inputs with a timestamp or counter
• Reseed the PRNG occasionally
• Use a hash function to protect PRNG outputs if
  PRNG is suspect

9
stream cyphers

• In a OTP, the secret key is the random n-bit
  stream.
• Stream cyphers replace this random stream with a
  pseudorandom bitstream.
• The secret key is the seed used to generate the
  pseudorandom stream.
• E(m, seed) m ? RNG(seed)
• D(c, seed) c ? RNG(seed)

seed
pseudo random stream
?
plaintext
cyphertext
10
security of stream cyphers

• Trade-off excellent secrecy for ease of
  implementation / use.
• The security of the cypher is dependent on the
  security of the pseudorandom number generator.
• It should be computationally hard to determine
  either the seed or the next number in sequence.
• Since the random number generator is
  deterministic, the seed should only be used for
  one session.
• Stream cyphers are much faster than block
  cyphers.
• To avoid using the same seed twice, we can
  encrypt it using stronger crypto and append to
  the ciphertext (to tell the other party)
• E(m, k) DES(seed, k) m ? RNG(seed)
• (strong)
  (fast)

11
History of DES

• 1970s IBM Research Team led by Feistel devises a
  cypher called LUCIFER with a 128-bit message,
  ciphertext and keyspace.
• 1973 NBS (now NIST) asks for a proposed data
  encryption standard.
• 1974 IBM develops DES from LUCIFER.
• 1975 The NSA fixes DES
• shortens key to 56 bits (on 64 bit blocks)
• plays with S (substitution) boxes
• additional permutations
• 1977 DES adopted and heavily used to secure
  financial transactions.
• 1991 Biham Shamir discover modifications made
  DES resilient to differential cryptanalysis.
• 1993 Michael Wiener from Nortel theorises a
  USD1M machine could crack DES in 3.5 hours
  using off the shelf components
• 1997 DES cracked by brute force by
  Distributed.net in 96 days.

12
NSA

• Was the NSA playing the resource game?
• "NSA doesn't want a strong cryptosystem as a
  national standard, because it is afraid of not
  being able to read the messages. On the other
  hand, if NSA endorses a weak cryptographic system
  and is discovered, it will get a terrible black
  eye." - EFF 1998

13
DES

• Data Encryption Standard (DES)
• Block cypher (64-bit blocks, 56-bit key)
• 16-round Feistel network
• A particular construction which is reversible
• c DESk(m)
• m DESk(c)
• Note key schedule is reversed
• Operates in many different modes
• Worlds most heavily used and analysed cypher
• We still dont understand it properly after 25
  years
• The NSA knew more than we do now, 20 years ago

14
feistel networks

• Ladder structure
• Input is split into two blocks, the left and
  right halves
• The functions f1 fk are arbitrary mappings
• f1 fk 0,1n ? 0,1n

left half
right half
l0
r0
each round li ri-1 ri li-1 ? fi(ri-1)
round 1 round 2 round 3
f1
l1
r1
f2
l2
r2
f3
r3
l3
15
feistel structure

• Express cypher as combination of successive round
  functions (can be any number of rounds)
• ?(f1, f2, f3)
• To decrypt, simply use the rounds in reverse
  order i.e.
• ?-1(f1, f2, , f2k-1) ?(f2k-1, , f2, f1)
• Round functions do not need to be invertible
• If fi are random functions then ?() is
  indistinguishable from a random permutation under
  a chosen plaintext attack
• This lets us turn any one-way function into a
  block cypher
• We can thus optimise round functions individually

16
Diffusion and Confusion

• Many modern symmetric cyphers are based upon two
  principles
• Diffusion is used to dissipate the statistical
  structure of the plaintext into long range
  statistical properties of the cyphertext
• We try to make the statistical relationship
  between plaintext and cyphertext complex so they
  key cannot be derived- ideally by having each
  plaintext bit affect as many as possible
  cyphertext bits.
• In cypher design, we try to get the cyphertext
  symbol, digraph and trigraph frequencies as
  evenly distributed as possible, and ideally
  flipping a bit of the plaintext will result in a
  50 probability of each bit flipping in the
  cyphertext
• Diffusion is usually achieved through repeat
  application of a permutation function
• Sometimes seen as a P-Box in cyphers
• Confusion is used to make the relationship
  between the cyphertext and the key as difficult
  as possible
• Usually achieved through application of a complex
  substitution function
• Usually seen in the form of a n x m bit S-box
• Think of a n-bit address line into a n x m-bit
  RAM (storing a non-linear function)

17
DES structure
Initial permutation to discourage
software implementations (transposition)
Plaintext split into left and right halves (each
32 bits, expanded to 48)

• S-boxes to confuse
• (substitution)
• P-boxes to diffuse
• (permutation)
• 16 rounds

Key schedule s1..s16 derived from key (each is 48
of 56 bits)
Inverse of initial permutation
18
DES internals

• 16 round Feistel network with functions f1 f16
  derived from the key (through the key scheduling
  algorithm)
• DES can be defined by the following equations
• M L0R0 L0 R0 32 bits
• Li Ri-1 16 rounds
• Ri Li-1 ? F(Ri-1, ki)
• C R16L16 output
• Each ki is the ith subkey derived from the key k
  according to a key schedule.

19
DES round functions

• The function F(x,ki) 0,132 x 0,148 ? 0,132

x (32 bits)
ki (48 bits)
48 bits
48 bits
S-box (substitution) nonlinear confuse
6 bits x 8
s1
s8
4 bits x 8
32 bits
P-box (permutation) diffuse
P
20
avalanche effect in DES

• DES is designed so that a minor change in the key
  or the plaintext results in a dramatic change in
  the cyphertext.

Round Bit change in plaintext Bit change in
key (bits different in cyphertext) (bits
different in cyphertext) 0 1 0 1 6 2 2 21 14 3
35 28 4 39 32 5 34 30 6 32 32 7 31 35 8 29 3
4 9 42 40 10 44 38 11 32 31 12 30 33 13 30 28
14 26 26 15 29 34 16 34 35
Change quickly avalanches, so difference between
cyphertexts approaches that of any two chosen at
random (half the bits in error on average)
21
DES is broken

• DES has been found to hold up well against many
  forms of cryptanalysis, but fell to brute force.
• The problem is that Moores Law has caught up.
• Security is all about resources, and these
  resources ride the silicon curve.
• 1993 Michael Wiener theorises USD1M machine
  brute force in 3.5 hours.
• 1997 www.distributed.net 78,000 PCs brute force
  DES in 96 days.
• 1998 EFF Deep Crack machine (USD250k) and
  Distributed.net breaks in less than a
  day (3 days for the whole keyspace)
• 2001 Sub-USD1M custom chip machine brute force
  in under 30 minutes.
• 2003 FPGAs exploiting optimum cost/performance.

22
EFF DES cracker

• Based on low-volume gate array machine built with
  AWT
• Exploits Hardware parallelism
• 24 DES Search Units / Chip
• 64 Chips / Board (1800 chips total)
• 27 Boards total in 2 Sun VME Chasses
• DES performed in 16 cycles
• Clocked at 40MHz !
• 2.5 Million keys / second (each unit)
• Total Cost (1997) USD250k
• Brute force keyspace in 3 days

23
cryptanalysis cost metrics

• 1993 Wieners theoretical machine 1.3 x 1010 d-s
• 1997 Distributed.net effort 6.5 x 1014 d-s
• Assuming 1000/machine!
• 1998 EFF Deep Crack 6.5 x 1010 d-s
• Moral of the story
• Highly-parallel special-purpose hardware is much
  more efficient than massively-parallel
  general-purpose processors.
• The Future?
• Cryptanalysis using modern FPGAs
• e.g. Xilinx Virtex-II Pro 125,000 CLBs and up
  to 4 PPC Cores _at_ 400MHz
• Gain efficiencies using highly-parallel arrays of
  crack cores
• FPGAs can clock _at_ 100-200MHz vs. 40MHz
• 4x higher densities
• Arbitrary function blocks in modern CLBs ideal
  for P/S-boxes
• Exhaust space in 3-7 hours for same cost as DES
  cracker?

24
FPGA Cryptanalysis

• In 2003 Ian Howson and I examined
  cost/performance metrics for FPGA implementations
  of key search machines.
• We showed that DES Cracker could be rebuilt using
  622 Xilinx XC2S200E devices for a total hardware
  cost of 15,540.

25
DES modes of operation

• Electronic Code Book (ECB)
• Each 64 bit block is encrypted separately.
• Vulnerable to dictionary attacks.

plaintext
m0
Ek
Ek
Ek
Ek
Ek
Ek
c0
cyphertext
26
ECB properties

• Identical plaintext blocks result in identical
  cyphertext blocks
• Blocks are enciphered independently
• reordering cyphertext blocks results in reordered
  plaintext blocks
• ECB thus not recommended for messages gt 1 block
  or reuse over more than one message.
• Error Propagation one or more bit errors in a
  cyphertext block only affects the corresponding
  plaintext block
• In general for a typical cypher decryption for
  this block results in random plaintext (i.e. 50
  of plaintext in error)
• Can strengthen through the use of random padding
  bits

27
cypher block chaining (CBC)

• Cypher Block Chaining (CBC)
• Blocks are chained together
• IV is some predetermined value

plaintext
m0
IV
Ek
Ek
Ek
Ek
Ek
Ek
c0
cyphertext
28
CBC properties

• Identical plaintexts result in identical
  cyphertexts when the same plaintext is encyphered
  using the same key and IV.
• Changing one or more of k, IV or m0 affects this.
• Chaining dependencies
• Cyphertext cj dependends on m0 mj
• Rearrangement of cyphertext blocks affects
  decryption
• Error propagation
• Bit error in cyphertext cj affects decyphering of
  cj and cj1.
• Recovered block mj typically results in random
  bits
• Bit errors in recovered block mj1 are precisely
  where cj was in error.
• Attacker can cause predictable bit changes in
  mj1 by altering cj
• Bit Recovery
• CBC is self-synchronising or cyphertext autokey
  in that if a bit error occurs in cj but not cj1,
  then cj2 correctly decrypts to mj2

29
output feedback mode (OFM)

• Output Feedback Mode (OFM) (effectively a stream
  cypher)

plaintext
m0
Ek
Ek
Ek
Ek
Ek
Ek
IV
keystream
c0
cyphertext
30
properties of OFB

• Identical plaintexts result in identical
  cyphertexts when the same plaintext is enciphered
  using the same key and IV.
• Chaining dependencies
• The keystream is plaintext independent
• Error propagation
• one or more bit errors in any cyphertext block
  results only in decipherment of that block in the
  precise position of error
• Error recovery
• OFB recovers from cyphertext bit errors but not
  bit loss (results in unalignment of keystream)
• Throughput
• Keystream may be independently calculated (e.g.
  precomputed)
• IV must be changed if the key is reused

31
evaluating block cyphers and modes

• Estimated Security Level
• Confidence grows the longer it has been openly
  analysed.
• Key Size
• An upper bound on the security of the cypher
  (i.e. brute force).
• Longer keys have added costs to key generation,
  distribution, storage, difficulty to remember
  passwords, key recovery (!)
• Throughput
• Relates to affinity of design to implementation
• Block Size
• Larger is better but more costly
• Complexity of Cryptographic Mapping
• Data Expansion
• Error Propagation
• Effect of bit errors differs between cyphers and
  mode of operation

32
references

• Handbook of Applied Cryptography
• 7.1 - 7.4
• Stallings (3rd Ed)
• 3