Engineering Cryptographic Applications: Symmetric Encryption

1,222 views

Published on

First class of four-part series developed for introducing engineers to cryptography.

Delivered at AMC Theater in Tyson's Corner for Microstrategy, 4 October 2013.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,222
On SlideShare
0
From Embeds
0
Number of Embeds
548
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Engineering Cryptographic Applications: Symmetric Encryption

  1. 1. Engineering Cryptographic Applications
  2. 2. Plan for the Course Today: Symmetric Encryption – Introduction, a bit of History – Perfect Ciphers – Cryptanalysis of Imperfect Ciphers – Modern Symmetric Ciphers Oct 11 (10:30am): Implementation, Authentication Oct 18 (10:30am): Public-Key Protocols Oct 25 (10:30am): New Applications Engineering Crypto Applications 1evans@virginia.edu
  3. 3. Goal of The Course? Engineering Crypto Applications 2 Learn enough so you can design and implement crypto applications Learn enough so you know how hard it is to get crypto right, and will not be foolish enough to try it based on a 8-hour course! evans@virginia.edu
  4. 4. User Interaction Design  Every programmer thinks they can do it. Obscenely over-paid consultants claim they can’t.  If you get it wrong, every customer notices (and leaves). Cryptosystem Design  Every engineer with strong math background thinks they can do it. Obscenely over-paid consultants claim they can’t.  If you get it wrong, probably no one notices. Engineering Crypto Applications 3evans@virginia.edu
  5. 5. Engineering Crypto Applications 4 “If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. Karsten Nohl, …, said the encryption hole allowed outsiders to obtain a SIM card’s digital key, …, which let him eavesdrop on a caller, make purchases through mobile payment systems and even impersonate the phone’s owner… as many as 750 million phones may be vulnerable to attacks… Mr. Nohl said. “We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.” evans@virginia.edu
  6. 6. Real Goals • Know enough to avoid obviously bad crypto designs and implementation • Know enough to be able to ask important questions about cryptosystems • Know enough to know what you need to learn more about to build something secure • …and hopefully fun and interesting for everyone! Engineering Crypto Applications 5evans@virginia.edu
  7. 7. Engineering Crypto Applications 6evans@virginia.edu
  8. 8. Engineering Crypto Applications 7 What is cryptology? • Greek: κρυπτ oς = “kryptos” = hidden (secret) • Cryptography – secret writing • Cryptanalysis – analyzing (breaking) secrets Cryptanalysis is what an attacker does Decryption is what the intended receiver does • Cryptosystems – systems that use secrets • Cryptology – science of secrets evans@virginia.edu
  9. 9. Engineering Crypto Applications 8 Cryptology is a branch of mathematics: about abstract numbers and functions. Security is an engineering goal: it involves mathematics, but is mostly about real implementations and people. evans@virginia.edu
  10. 10. Engineering Crypto Applications 9 Introductions Encrypt DecryptPlaintext Ciphertext Plaintext Alice Bob Eve (passive attacker) Insecure Channel evans@virginia.edu
  11. 11. Engineering Crypto Applications 10 Introductions Encrypt DecryptPlaintext Ciphertext Plaintext Alice Bob Mallory (active attacker) Insecure Channel (e.g., the Internet) evans@virginia.edu
  12. 12. Engineering Crypto Applications 11 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext PlaintextCiphertext Two functions: E(m: byte[])  byte[] and D(c: byte[])  byte[] Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m), it is “hard” to learn anything interesting about m. evans@virginia.edu
  13. 13. Engineering Crypto Applications 12 It is possible to state the security property precisely (and prove a cryptosystem satisfies it given hardness assumptions). This is the main thing Shafi Goldwasser and Silvio Micali did in the 1980s to win 2013 Turing Award. evans@virginia.edu
  14. 14. Engineering Crypto Applications 13 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext PlaintextCiphertext Two functions: E(m: byte[])  byte[] and D(c: byte[])  byte[] Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m)), it is “hard” to learn anything interesting about m. evans@virginia.edu
  15. 15. Kerckhoff’s Principle Engineering Crypto Applications 14 Auguste Kerckhoffs evans@virginia.edu
  16. 16. Algorithms Can Run, But They Can’t Hide Engineering Crypto Applications 15 Car theft rate (by model year) Source: hldi.org Mifare RFID evans@virginia.edu
  17. 17. Inside the Mifare Chip Engineering Crypto Applications 16 0.01 mm (10000 nm)0.01 mm (10000 nm) evans@virginia.edu
  18. 18. Engineering Crypto Applications 17 Interconnection Layers Logic Layer evans@virginia.edu
  19. 19. Zooming in on the Logic… Engineering Crypto Applications 18 rotated rotated + mirrored 4 NAND: Y = !(A & B & C & D) match match evans@virginia.edu
  20. 20. Mifare Crypto-1 Engineering Crypto Applications 19 48-bit LFSR f(∙) RNG Challenge Key stream ID + Response ++ evans@virginia.edu
  21. 21. Engineering Crypto Applications 20 “The enemy knows the system being used.” Claude Shannon, Communication Theory of Secrecy Systems (1949) Claude Shannon, 1916-2001 evans@virginia.edu
  22. 22. what I would have said last month… Engineering Crypto Applications 21 Security through obscurity is a bad idea – much better to use publicly vetted standards that have been scrutinized by experts and rely on key for security. evans@virginia.edu
  23. 23. …then this happened Engineering Crypto Applications 22evans@virginia.edu
  24. 24. what I’d say today… Engineering Crypto Applications 23 You’re probably still better off using well- vetted open standards. Just be wary of ones the NSA could influence. evans@virginia.edu
  25. 25. (Keyed) Symmetric Cryptosystem Engineering Crypto Applications 24 Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Key KeyOnly secret is the key, not the E and D functions that now take key as input Asymmetric crypto: different keys for E and D, so you can reveal E without revealing D. evans@virginia.edu
  26. 26. Example: Jefferson’s Wheel Engineering Crypto Applications 25evans@virginia.edu
  27. 27. Jefferson’s Wheel Cipher • 26 wheels arranged in a secret order on a spindle • Each wheel has a randomly permutated alphabet around rim • Encrypt: turn wheels to display plaintext, then pick a “random” row and that is the ciphertext • Decrypt: arrange wheels in same (secret) order, line up ciphertext, look around wheel for plaintext Engineering Crypto Applications 26evans@virginia.edu
  28. 28. Who was the real cryptographer? Engineering Crypto Applications 27 Auguste Kerckhoffs (1883)Thomas Jefferson (1790s) evans@virginia.edu
  29. 29. Engineering Crypto Applications 28 on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike. now string them in their numerical order on an iron axis, one end of which has a head, and the other a nut and screw; the use of which is to hold them firm in any given position when you choose it. Jefferson’s description of wheel cipher (1802) evans@virginia.edu
  30. 30. Key Space Key space: K = set of possible keys Engineering Crypto Applications 29 Key is order of wheels on spindle: |K | = 26 25 … 1 > 1026 Key is jumbling of letters on wheels: |K | = (26 25 … 1)26 > 10691 Brute force attack: try all keys until you find one that “works” evans@virginia.edu
  31. 31. (Im)Practicality of Brute Force Attacks Minimum energy needed to flip one bit (Landauer limit) ≈ kT ln 2 ≈ 2.8 zepto-Joules Engineering Crypto Applications 30 k ≈ 1.4 10-23 J/K (Boltzmann’s constant) T = temperature (Kelvin) (300K) evans@virginia.edu
  32. 32. Engineering Crypto Applications 31 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  33. 33. Engineering Crypto Applications 32 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  34. 34. Engineering Crypto Applications 33 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  35. 35. Engineering Crypto Applications 34 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” evans@virginia.edu
  36. 36. Engineering Crypto Applications 35 Bit Flips Energy WolframAlpha Description 240 (Mifare Crypto-1) 3 10-9 J “mass-energy equivalent of a Z boson” 256 (DES) 2 10-3 J “acoustic energy in a whisper” 280 (“low security”) 3 103 J “metabolic energy of one gram of sugar” 26! (Jefferson+Kerkchoffs) 1 106 J “energy of one gram of gasoline” 2128 (AES minimum) 9 1017 J “twice energy consumption of Norway in 1998” 2256 (AES maximum) 3 1056 J “1/120th mass energy equivalent of galaxy’s visible mass” This is the best (unrealistic) possible case for a brute force attack: don’t need to do anything other than represent key and physically most efficient bit flips. But, assumes better than brute force attacks are not possible. All of these ciphers have weaknesses, and are much less secure than maximum security possible for that size key. evans@virginia.edu
  37. 37. Can any cipher resist an infinitely powerful brute-force attacker? Engineering Crypto Applications 36evans@virginia.edu
  38. 38. 37 Claude Shannon, A Mathematical Theory of Cryptography, 1945 (declassified later) Yes! Check out my perfect cipher! (It’s the only one.) Engineering Crypto Applicationsevans@virginia.edu
  39. 39. Exclusive Or Engineering Crypto Applications 38 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 0 Invertible A B B = A evans@virginia.edu
  40. 40. One-Time Pad C[i] = M[i] K[i] 39Engineering Crypto Applicationsevans@virginia.edu
  41. 41. One-Time Pad C[i] = M[i] K[i] 40 Pr(C[i] = 0) = Pr(M[i] = 0) × Pr(K[i] = 0) + Pr(M[i] = 1) × Pr(K[i] = 1) = ½ Pr(M[i] = 0) + ½ Pr(M[i] = 1) = ½ Pr(M[i] = 0) + ½ Pr(M[i] = 0) = ½ Pr(M[i] = 0) + 1 − Pr(M[i] = 0) = ½ Perfect secrecy! Ciphertext reveals nothing about message. Engineering Crypto Applications Pr(K[i] = 0) = Pr(K[i] = 1) = ½ evans@virginia.edu
  42. 42. Vernam’s One-Time Pad (1919) Key: a long paper tape with random letters on it (5-bit code) Cannot reuse key – tape must be very very long! Engineering Crypto Applications 41evans@virginia.edu
  43. 43. Why perfectly secure? For any intercepted ciphertext, without knowing the key all plaintexts are equally possible. Engineering Crypto Applications 42evans@virginia.edu C: 1000101 0110100 1010101 0011001 K1: 0001000 1100111 0000001 1001011 M1: 1001101 1010011 1010100 1010010 M S T R K2: 0001000 1100111 0010011 1001101 M2: 1001101 1010011 1000110 1010100 M S F T
  44. 44. No Other Perfect Ciphers Engineering Crypto Applications 43 M1 M2 Mn C1 C2 Cn Ki ...... Kj To be perfect, there must be a key that maps each message to each ciphertext. |K | ≥ |M | Hence, any practical cipher must be imperfect! (This is what Shannon proved in 1945 paper.) evans@virginia.edu
  45. 45. Engineering Crypto Applications 44evans@virginia.edu
  46. 46. Engineering Crypto Applications 45 Cryptanalysis Alice Bob Eve Encrypt DecryptPlaintext Ciphertext Plaintext Insecure Channel Key Key Cryptanalyze Plaintext (or something useful) evans@virginia.edu
  47. 47. Lorenz Cipher Machine Engineering Crypto Applications 46evans@virginia.edu
  48. 48. The World in July 1941 47 http://commons.wikimedia.org/wiki/File:Ww2_allied_axis_1941_jul.png Bletchley Park Engineering Crypto Applicationsevans@virginia.edu
  49. 49. 5 October 2013 University of Virginia cs4414 48 21st October 1941 Dear Prime Minister, Some weeks ago you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal. A.M. Turing (+ 3 others) Winston Churchill Alan Turing
  50. 50. HQIBPEXEZMUG! August 30, 1941 Lorenz operator retransmits failed message with same starting configuration Gets lazy and uses some abbreviations, makes some mistakes 49 GCHQ Today (not what it looked like in 1941!) SPRUCHNUMMER/SPRUCHNR (Serial Number) Engineering Crypto Applicationsevans@virginia.edu
  51. 51. “Two Time” Pad Allies have intercepted: C1 = M1 K1 C2 = M2 K1 50Engineering Crypto Applicationsevans@virginia.edu
  52. 52. “Two Time” Pad Allies have intercepted: C1 = M1 K1 C2 = M2 K1 51Engineering Crypto Applicationsevans@virginia.edu C1 C2 = M1 K1 M2 K1 = M1 M2
  53. 53. “Cribs” Don’t know M1 or M2, but, know they are in German and can make some guesses (cribs) SPRUCHNUMMER ADOLF HITLER, FUHRER Given guess for M1, calculate M2 = C1 C2 M1 If M2 seems plausible, calculate key: K1 = M1 C1 52Engineering Crypto Applicationsevans@virginia.edu
  54. 54. ReverseEngineeringLorenz 53Engineering Crypto Applicationsevans@virginia.edu Found 4000 letter key K1 from intercepted C1 and C2 Bill Tutte U. Waterloo (1917-2002) Brigadier John Tiltman (1894-1982) Figured out machine design likely to produce K1
  55. 55. 54 Main weakness: each step, either all S wheels turn, or none do! Engineering Crypto Applicationsevans@virginia.edu Knew machine structure, but a different initial configuration was used for each message: need to find wheel settings (1019 possible) but weakness reduces to 41 × 31 K wheels, all rotate every letter M1 and M2 rotate conditionally
  56. 56. Recognizing a Good Guess Intercepted Message (divided into 5 channels for each Baudot code bit) zc, i = mc,i xc,i sc,i Message Key (parts from S-wheels and rest) Cryptanalyze: look for statistical properties How many of the zc,i’s are 0? How many of (zc,i+1 zc,i) are 0? ½ (not useful) ½ 55Engineering Crypto Applicationsevans@virginia.edu
  57. 57. Double Delta Combine two channels: Z1,i Z2,i = M1,i M2,i X1,i X2,i S1,i S2,i = ½ (key) > ½ Yippee! > ½ Yippee! M1,i M2,i > ½ Message is in German, more likely following letter is a repetition than random S1,i S2,i > ½ since S-wheels only turn when M-wheel is 1 56Engineering Crypto Applicationsevans@virginia.edu Actual advantage ≈ 0.55
  58. 58. Using the Advantage Try all configurations to find one(s) with highest numbers of 0s. evans@virginia.edu Engineering Crypto Applications 57 If the guess of X is incorrect: Pr( Z1,i Z2,I = 0) = ½ If the guess of X is correct: Pr( Z1,i Z2,I = 0) ≈ 0.55 # of double delta operations to try one guess = for 10,000 letter message × 1271 settings × 7 per double delta = 89 M operations Today: < 0.01s on my phone…but this was 1943
  59. 59. 1943: Build the first (?) electronic, programmable computer: Colossus 58Engineering Crypto Applicationsevans@virginia.edu
  60. 60. Colossus Design Electronic Keytext Generator Logic , =0 Tape Reader Counter Position Counter Printer Ciphertext Tape 59Engineering Crypto Applicationsevans@virginia.edu 50 km/h (5000 chars/second)
  61. 61. Impact on WWII 10 Colossus machines operated at Bletchley Decoded 63 million letters in Nazi messages Learned German troop locations to plan D-Day 60Engineering Crypto Applicationsevans@virginia.edu
  62. 62. Modern Cryptanalysis • Basically the same + Bigger, faster computers – Less motivated, more bureaucratic government • Know or reverse engineer cipher algorithm • Look for statistical weaknesses in ciphers to get some small advantage: because all ciphers are imperfect, there must be some • Reduce keyspace from brute-force search to smaller incremental search evans@virginia.edu Engineering Crypto Applications 61
  63. 63. Engineering Crypto Applications 62evans@virginia.edu
  64. 64. Path to AES • DES (Data Encryption Standard) – Developed at IBM in 1970s, selected as national standard by NSA in 1977 – 56-bit key • By 1999: distributed.net can break DES key in 22 hours (today: < $10K to break a DES key) • NIST selected AES (Advanced Encryption Standard) in 2001 – Open, public process – Winner: Rijndael (developed by two Belgians) Engineering Crypto Applications 63evans@virginia.edu
  65. 65. Variable cost/strength: Key sizes: 128, 192, 256 bits Block sizes: 128, 192, 256 bits Rounds: 10, 12, or 14 Special AES instructions in x86 Engineering Crypto Applications 64 AES Round Each round (10-14 rounds total): 1. Byte substitution using non- linear S-Box (lookup table) 2. Shift rows (square) 3. Mix columns – matrix multiplication by polynomial 4. XOR with round key evans@virginia.edu
  66. 66. Most Common Mistake S-Boxes: x = S[b] S is a 256-byte table, b is an index into table. Time this takes varies based on value of b and state of cache. Engineering Crypto Applications 65 Keaton Mowery, Sriram Keelveedhi, and Hovav Shacham. Are AES x86 Cache Timing Attacks Still Feasible? (2012) evans@virginia.edu
  67. 67. Engineering Crypto Applications 66 From Jeff Moser’s A Stick Figure Guide to the Advanced Encryption Standard (AES) evans@virginia.edu
  68. 68. Can the NSA break AES? • Most actual uses: probably yes – This is because of implementation flaws and user mistakes • Correct implementation: probably not – Best openly known attacks: • Related key attacks (2009): 295 operations (but only works in very rare circumstances) • Key recovery attack (2011): 2126 operations (to recover 128-bit key) Engineering Crypto Applications 67evans@virginia.edu
  69. 69. Engineering Crypto Applications 68 (Assumes most efficient computation physically possible and only bit flips for each operation.) evans@virginia.edu
  70. 70. Engineering Crypto Applications 69 × 1 Trillion evans@virginia.edu
  71. 71. Summary • Cryptography is an arms race between cryptographers and cryptanalysts • In theory, the cryptanalysts should always win (all practical ciphers are imperfect) • In our universe, computation requires energy which is limited, who wins depends on deep questions we can’t yet answer (e.g., P = NP) • In practice, most cryptosystems fail because of bad implementations and humans not bad mathematics Engineering Crypto Applications 70 × 1 Trillion evans@virginia.edu
  72. 72. evans@virginia.edu www.JeffersonsWheel.org MightBeEvil.com Engineering Crypto Applications 71 Plan for Next Week Randomness Using Symmetric Ciphers Authentication what LinkedIn did wrong why biometrics can’t work opento requests! evans@virginia.edu

×