12 symmetric key cryptography


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Welcome to SEC103 on Secure Programming Techniques. In this course, I assume that you have some background in computer security, but now you want to put that background to use. For example, in the Computer Security Principles and Introduction To Cryptography courses, we cover topics such concerning trust and encryption. In this course, we put these principles into to practice, and I’ll show you have to write secure code that builds security into your applications from the ground up.
  • XOR = Exclusive OR FIPS = Federal Information Processing Standard Key size was originally 128 bits– NSA reduced it to 56 bits. Key is actually 64 bits, with 8 parity bits. We say the key is 56-bits because the key only has 56-bits of entropy. Designed for speed and hardware implementation. feistel was one of the guys at IBM that helped design the algorithm. IP and its inverse don’t provide any additional security, but they simplify the hardware implementation of DES: see http://www.tcs.hut.fi/~helger/crypto/news/010425_koontz.txt High-level description of algorithm: Input bits are permuted Bits are split into left half and right half During each round, the 32 bits of the right half are expanded to 48 bits (some bits are used more than once), and XORed with 48 bits selected from the key. The XORed bits are then run through 8 “S-boxes” or substitutions, where each S-box takes 6 bits as input and produces 4 bits of output. The S-boxes give DES its security. The result of the S-box computation is then permuted once more (using a P-box) and XORed with the left half of the bits. The left and right halves are then switched for the next round. 16 rounds are repeated, and then a final permutation is applied. Goal: every bit of the ciphertext should be a random function of the plaintext and the key such that given many plaintext/ciphertext pairs, it should be computationally infeasible to deduce the key. Same algorithm used for encryption and decryption. For decryption, use the key in reverse. Sounds like black magic. There was much speculation that the NSA put a “back door” into the algorihtm. Exportable only if <=40-bits are used for the key. Is 16 rounds enough? Algorithm has been broken with smaller numbers of rounds. Use 3-DES for more rounds. More information and DES spec at http://www.itl.nist.gov/fipspubs/fip46-2.htm
  • Triple DES can be used to achieve a higher level of security than with DES alone. As the name implies, Triple DES runs DES three times with three potentially different keys. The way that you would do a triple DES encryptions is by taking the input message, M, encrypting with key 1, decrypting the resulting message with key 2, and encrypting that message with key 3. You might be wondering why Triple DES does a decryption as its second step instead of just encrypting three times. The reason is for backward compatibility. Notice that if k1=k2=k3 (all the keys are the same), doing a Triple DES encryption is exactly equivalent to doing a DES encryption. This means that if your system used to, say, use a microchip that had DES implemented in hardware, you could switch to using a microchip that uses Triple DES quite easily by giving the Triple DES chip the same key for all three required keys. Of course, once you do switch over to using Triple DES, you can achieve a higher level of security by using more than just one key. To get the higher level of security with Triple DES, you can choose three different keys, which will give you 168-bits of security. (The entire key will be 192-bits including the parity bits.) Or alternatively, you can use only two different keys, and you can set k1 = k3 which will give you 112-bits of security. (The key will be 128-bits with the parity bits.) You may have heard that web browsers do “128-bit encryption” when communicating with web servers that use SSL, the secure sockets layer protocol. This “128-bit encryption” is done with Triple DES using two keys, so know you know a little bit about the type of encryption that web browsers use. We will learn more about SSL in Lecture 5. Finally, as we mentioned earlier, if you use the same key as input for all the three Triple DES keys, Triple DES is equivalent to DES, with the caveat that it could be up to three times slower since two encryptions and one decryption will need to be done with Triple DES to emulate DES. Also part of FIPS 46-3. 128-bit 3DES used in web browsers that support SSL. Much more secure than DES. Why decrypt using second key instead of encrypt? For backward compatibility.
  • The next symmetric cipher that we will cover is AES, the Advanced Encryption Standard. AES is meant to be a replacement for DES that has been adopted by NIST in October 2000. DES is too easily crackable, and Triple DES is too slow (requiring 48 rounds of a Feistel network). AES is meant to be a replacement for DES / Triple-DES that provides security with larger keys and fewer rounds. The AES standard is a government endorsed cipher that was developed using the most open process to date for such things. In 1997, the need for a new standard was announced by NIST, that National Institiute for Standards and Technology, and invited proposals for a new symmetric block cipher that satisfied their requirements. Fifteen different ciphers were proposed by cryptographers from all over the world, and conferences were held over the course of a three year period that debated the strengths and weaknesses of the proposed ciphers with regards to security, speed, memory requirements, and other hardware and software implementation considerations. The requirements for AES were more stringent than DES because, for example, NIST wanted to select an algorithm that would work well on mobile devices that have slower processors and less memory than desktop computers. In August 1999, five finalists were chosen, and a proposal made by 2 Belgian cryptographers called Rijndael was chosen to be the AES standard. Rijndael supports key and block sizes of 128, 192, or 256 bits, and runs in 10, 12, or 14 rounds depending up on the key/block size. Interestingly enough, the Rijndael cipher uses S-boxes and XORs, but does not use a Fiestel network. In applications that need symmetric block encryption, using AES will achieve better performance and will use less memory than DES or Triple DES. Due to the nature of the selection process that it went through, the hope is that AES is also more secure than DES. Selection process report at http://csrc.nist.gov/encryption/aes/round2/r2report.pdf More information at http://csrc.nist.gov/encryption/aes/
  • So far, we have covered three block ciphers, DES, Triple DES, and AES that can be used to encrypt 64, 128, 192, or 256-bit blocks of plaintext. They are called block ciphers because they take input blocks of 64, 128- etc. numbers of bits. However, we haven’t really talked about how to encrypt larger numbers of bits. Let’s say, for example, that we have a one megabyte document of plaintext that we would like to encrypt with a 64-bit key using DES. One megabyte is 16384 64-bit blocks. We could take each of these 64-bit blocks of plaintext input and independently run each of them through DES to produce 16384 64-bit blocks of ciphertext. This technique is called ECB, or Electronic Code Book, based encryption. It is as if we are looking up each 64-bit plaintext block in a (very large) “electronic code book” to determine what the corresponding ciphertext should be. There is a problem with this form of encryption using block ciphers. The problem is that it is likely that some of the 64-bit plaintext blocks are repeated many times in the one megabyte document. For instance, if the document is simply text, and the word “security” appears in the document multiple times (aligned on 64-bit boundaries) then the exact same ciphertext will appear in the encrypted document multiple times as well. This leaks some information about the structure of the document to the attacker. We would ideally like the encrypted document to look like completely random garble to the attacker, such that the probability that any bit in the encrypted document is a 1 (or is a 0) is ½. To achieve this, we should not use this “electronic code book” method of concatenating ciphertext blocks. Instead of having each block of ciphertext only be dependent upon one block of plaintext, we might like to have each block of ciphertext be dependent upon all of the previous ciphertext, so that we can hide such patterns. Problem: someone can tell if Pi = Pj because Ci will equal Cj.
  • CBC, or Cipher Block Chaining, accomplishes this. In CBC, we XOR the previous block of ciphertext with the current plaintext block to produce a ciphertext block. By doing this, each ciphertext block is dependent on all previous ciphertext blocks as well as the current plaintext block, and it thereby hides such patterns in the encrypted text. Now, even if the word “security” appears in the plaintext multiple times aligned on 8-byte boundaries, the ciphertext for the word “security” will be different each time in the encrypted version of our file. Solution: Make C[i+1] dependent upon C[1]…C[i]. Other block chaining methods exist: CFB: Cipher Feedback OFB: Output Feedback We won’t cover them here… see Schneier’s book.
  • Until now, we have focused on talking about block-based symmetric encryption schemes in which blocks of plaintext are encrypted at a time. There does exist another class of symmetric encryption schemes called stream ciphers in which one bit of plaintext is encrypted at a time. Stream ciphers are, in general, much faster than block ciphers. They work by generating an infinite stream of key bits that are then simply XORed with the plaintext. When we first talked about XOR, we mentioned that it is not secure to simply XOR a key with some plaintext to encrypt it because if an attacker got a hold of some plaintext and its corresponding ciphertext, the attacker could simply XOR the two together to obtain the key. Hence, we could never use the same key bits twice. In a stream cipher,this is exactly what we make sure to do– a keystream generates an infinite sequence of random bits. The goal of a good stream cipher is to generate such a keystream of infinite random bits. In doing so, stream ciphers attempt to practically approximate a theorhetical encryption scheme called a one-time pad. A one-time pad is a cipher in which plaintext is XORed with a truly random stream of bits of the same length as the plaintext. (This is the reason that a one-time pad is impractical– carrying around a key that is the same size as the plaintext is impractical.) Also, note that a one time pad is called a one time pad because the key should be used exactly once! Why would we want to attempt to approximate such a impractical theorhetical encryption scheme? Well, Claude Shannon proved that a one time pads offer a property called “perfect secrecy.” Perfect secrecy means that under a brute force attack, every possible decryption is equally likely. Consider the following: let’s say that the attacker got a hold of some ciphertext that was encrypted using a one-time pad. The attacker could try a brute force attack where he tries decrypting using every possible combination of keys. The result that the attacker gets is a list containing one copy of every possible plaintext. The brute force attack yields absolutely no information about the plaintext. (This is, in general, not true of any imperfect cipher.) We will cover the most popular stream cipher, RC4. Since it is impractical to have Alice send Bob a key that is as long as the plaintext itself, RC4 uses a fixed size key as a “seed” that can be used to generate an infinite stream of key bits. We cover RC4 in just a second, but first we will review modular arithmetic, as modular arithmetic is used in the implementation of RC4 (as well as in RSA which we will see in the next lecture). One-time Pad: more info at http://world.std.com/~franl/crypto/one-time-pad.html (Excerpt) If the key is truly random, an xor-based one-time pad is perfectly secure against ciphertext-only cryptanalysis. This means an attacker can't compute the plaintext from the ciphertext without knowlege of the key, even via a brute force search of the space of all keys! Trying all possible keys doesn't help you at all, because all possible plaintexts are equally likely decryptions of the ciphertext. This result is true regardless of how few bits the key has or how much you know about the structure of the plaintext. To see this, suppose you intercept a very small, 8-bit, ciphertext. You know it is either the ASCII character 'S' or the ASCII character 'A' encrypted with a one-time pad. You also know that if it's 'S', the enemy will attack by sea, and if it's 'A', the enemy will attack by air. That's a lot to know. All you are missing is the key, a silly little 8-bit one-time pad. You assign your crack staff of cryptanalysts to try all 256 8-bit one-time pads. This is a brute force search of the keyspace. The results of the brute force search of the keyspace is that your staff finds one 8-bit key that decrypts the ciphertext to 'S' and one that decrypts it to 'A'. And you still don't know which one is the actual plaintext. This argument is easilly generalized to keys (and plaintexts) of arbitrary length.
  • (Add some info about the intuition for the algorithm… this is contained in Schnier’s book.) RC4 heavily uses modular arithmetic to create a random keystream. The way that RC4 works is it uses an array, S, whose values it continuously changes to generate the key stream. The array is “seeded” with a “key” that fills the array initially. The RC4 algorithm used to generate the keystream is shown above. The values i, j, and t are counters that are used to index the array S. RC4 generates one byte of key bits each time the above algorithm is run. The newly generated key bits are stored in K. Counters i and j are initialized to 0. S is initialized to the value of the key that both Alice and Bob know of as the “key” which they use to generate the keystream. On each iteration, i is incremented by one, and j is set to the value of S[i] added to j. Then, the values in the positions S[i] and S[j] are swapped. T is given the value of S[i] and S[j],and the next bytes of key bits are S[t]. All additions are done mod 256. The counter i iterates through the entire array and makes sure that each byte of the array gets modified at least once every 256 steps. However, each byte can be modified more than once because of the swap step. See http://www.wisdom.weizmann.ac.il/~itsik/RC4/rc4.html for more info. mod = modular arithmatic S-Box initialized as follows: First, forall i, S[i] = i. Let K[i] be the key array. (filled with the key, if key smaller than 255 bytes, then it is repeated) j=0; for i = 0 to 255 { j = (j + S[i] + K[i]) mod 256; swap (S[i],S[j]); } In the algorithm: i makes sure that every entry in the S-box eventually changes J “randomly” chooses a byte to swap i with
  • So far, we have discussed symmetric cryptography. Before continuing our discussion of applied cryptography with asymmetric cryptography, we will briefly touch upon steganography. The symmetric ciphers that we have discussion so far all have one thing in common: they all seek to transform the plaintext into a random string of bits. If Alice sends a random strings of bits to Bob, then an Eavesdropper Eve may be able to infer that Alice is sending sensitive information to Bob. However, Alice may want to conceal the fact that she is sending sensitive information to Bob. Steganography is the study of techniques that Alice can use to send sensitive information to Bob that seeks to hide the fact that sensitive information is being transmitted. Steganographic techniques typically use a convert channel to send sensitive information from one part to the other. Consider the following message that Alice sends to Bob: “All the tools are carefully kept.” The message seems harmless enough, but within this message there is a covert channel that is being utilized to send a secret message. (Most steganography relies on security by obscurity.)
  • If we only pay attention to the first letter of each word in the sentence, we can see that these first letters spell out the word “ATTACK.” The first letter of each word is a covert channel that is being used to send a secret message. It may be hard for an eavesdropper, Eve, that is not aware of the covert channel to discern that Alice is really telling Bob to “attack” when the message seems to be concerned with tools. There are many other examples of steganography. Invisible ink pens that children use to send messages to each other is another example of steganography. A more serious approach that is used to transmit hidden messages as part of electronic pictures work as follows. Each pixel in a digital picture can be represented as a 8 bit color code, corresponding to a red, green, and blue value for that pixel. The first bits (also called the most significant bits) of each of the 8-bit components have the most significant effect on the color of the pixel. However, the least significant bit has only a very slight effect on the color of the pixel. One could change all of the least significant bits without affecting the average person’s perception of the entire image. So, one could use these bits to transmit a secret message. For example, if you switched the least significant bits of a black background in a digital image from 000 to 101, you would be able to transmit the secret message “101” from a party sending the image to the party receiving it, and any eavesdroppers would not necessarily be aware that a secret message was encoded in the least significant bits of all the pixels.
  • The key advantage of steganographic techniques is that they allow Alice and Bob to exchange secrets without allowing third-parties to know that such secret messages are being exchanged. The key disadvantage is that steganographic techniques rely on obscurity for security. Once the covert channel is known to the third-party, the technique is useless. In addition, the other disadvantage of steganography is that even if the technique is unknown to the third-party, there is a high overhead for sending secret messages. In our previous example, only three bits per pixel could be used to send secret message. (The overhead is about 8 bits for each secret message bit that needs to be sent.) The more bits that are used as part of the covert channel the more percievable the alternations in color it might be to the third-party. The fewer bits that are used, the higher the overhead. Steganography can be used together with encryption to leverage some of the advantages of both. If a message is encrypted before it is inserted into a covert channel, Alice and Bob may be able to hide that they are communicating secret messages, and even if the third-party does figure out that there is a covert channel and obtain the contents of the secret message, the third-party may not be able to decrypt it. However, even by combining steganography with encryption, it is hard to eliminate the high overhead. This concludes this chapter, and in the next chapter we will cover asymmetric cryptography, a kind of cryptography in which Alice can Bob use two different keys, a public key and a private key, to exchange messages instead of just one key that Alice and Bob share.
  • 12 symmetric key cryptography

    1. 1. CHAPTER 12 Symmetric Key CryptographySlides adapted from "Foundations of Security: What Every ProgrammerNeeds To Know" by Neil Daswani, Christoph Kern, and Anita Kesavan(ISBN 1590597842; http://www.foundationsofsecurity.com). Except asotherwise noted, the content of this presentation is licensed under theCreative Commons 3.0 License.
    2. 2. Agenda Cryptography (crypto)– study of how to mathematically encode & decode messages Cryptographic primitive (low-level) = algorithm Applied Cryptography – how to use crypto to achieve security goals (e.g. confidentiality) Primitives build up higher-level protocols (e.g. digital signature – only constructible by signer) Symmetric Encryption: Alice, Bob use same key
    3. 3. 12.1. Introduction toCryptography Goal: Confidentiality Alice Bob “My account number is 485853 and my PIN is 4984” Eve Message “sent in clear”: Eve can overhear Encryption unintelligible to Eve; only Bob can decipher with his secret key (shared w/ Alice)
    4. 4. 12.1.1. Substitution Ciphers Plaintext: meet me at central park Ciphertext: phhw ph dw fhqwudo sdun Plain: abcdefghijklmnopqrstuvwxyz Cipher: defghijklmnopqrstuvwxyzabc Key is 3, i.e. shift letter right by 3 Easy to break due to frequency of letters Good encryption algorithm produces output that looks random: equal probability any bit is 0 or 1
    5. 5. 12.1.2. Notation & Terminology m = message (plaintext), c = ciphertext F = encryption function Cipher F = decryption function -1 k = key (secret number) c = F(m,k) = Fk(m) = encrypted message m = F-1(c,k) = F-1k(c) = decrypted message Symmetric cipher: F-1(F(m,k), k) = m, same key
    6. 6. Symmetric Encryption Alice encrypts a message with the same key that Bob uses to decrypt. Alice Bob 1. Construct m 2. Compute c= F(m,k) c 3. Send c to Bob 4. Receive c from Alice 5. Compute d=F-1(c,k) 6. m = c Eve can see c, but cannot compute m because k is only known to Alice and Bob
    7. 7. 12.1.3. Block Ciphers Blocks of bits (e.g. 256) encrypted at a time Examples of several algorithms:  Data Encryption Standard (DES)  Triple DES  Advanced Encryption Standard (AES) or Rijndael Internal Data Encryption Algorithm (IDEA), Blowfish, Skipjack, many more… (c.f. Schneier)
    8. 8. 12.1.3. DES Adopted in 1977 by NIST Input: 64-bit plaintext, 56-bit key (64 w/ parity) Parity Bits: redundancy to detect corrupted keys Output: 64-bit ciphertext Susceptible to Brute-Force (try all 256 keys)  1998: machine Deep Crack breaks it in 56 hours  Subsequently been able to break even faster  Key size should be at least 128 bits to be safe
    9. 9. 12.1.3. Triple DES Do DES thrice w/ 3 different keys (slower) c = F(F-1(F(m ,k1),k2),k3) where F = DES  Why decrypt with k2?  Backwards compatible w/ DES, easy upgrade Keying Options: Key Size (w/ Parity)  k1 ≠ k2 ≠ k3 : 168-bit (192-bit)  k1 = k3 ≠ k2 : 112-bit (128-bit)  k1 = k2 = k3 : 56-bit (64-bit) (DES)
    10. 10. 12.1.3. AES (Rijndael) Invented by 2 Belgian cryptographers Selected by NIST from 15 competitors after three years of conferences vetting proposals Selection Criteria:  Security, Cost (Speed/Memory)  Implementation Considerations (Hardware/Software) Key size & Block size: 128, 192, or 256 bits (much larger than DES) Rely on algorithmic properties for security, not obscurity
    11. 11. 12.1.4. Security by Obscurity:Recap Design of DES, Triple DES algorithms public  Security not dependent on secrecy of implementation  But rather on secrecy of key Benefits of Keys:  Easy to replace if compromised  Increasing size by one bit, doubles attacker’s work If invent own algorithm, make it public! Rely on algorithmic properties (math), not obscurity.
    12. 12. 12.1.5. Electronic Code Book Encrypting more data: ECB encrypt blocks of data in a large document P1 P2 PnK DES K DES … K DES C1 C2 Cn Leaks info about structure of document (e.g. repeated plaintext blocks)
    13. 13. 12.1.5. Review of XOR Exclusive OR (either x y x XOR y x or y but not both) 0 0 0 Special Properties: 0 1 1 x XOR y = z  z XOR y = x 1 0 1  x XOR z = y 1 1 0
    14. 14. 12.1.5. Cipher Block Chaining CBC: uses XOR, no patterns leaked! Each ciphertext block depends on prev block IV P1 P2 Pn + + + K DES K DES … K DES C1 C2 Cn
    15. 15. 12.1.5. Output Feedback (OFB) Makes block cipher into stream cipher Like CBC, but do XOR after encryption IV …K AES K AES K AES P1 + P2 + Pn + C1 C2 Cn
    16. 16. 12.1.6. AES Code Example Example Java Class: AESEncrypter Command-line utility:  Create AES key  Encrypt & Decrypt with key  AES in CBC mode Arguments: <command> <keyfile>  command = createkey|encrypt|decrypt  Input/output from stdin and stdout
    17. 17. 12.1.6. Using AESEncrypter Alice generates a key and encrypts a message: $ java AESEncrypter createkey mykey $ echo "Meet Me At Central Park" | java AESEncrypter encrypt mykey > ciphertext She gives Bob mykey over secure channel, then can send ciphertext over insecure channel Bob can decrypt Alice’s message with mykey:$ java com.learnsecurity.AESEncrypter decrypt mykey < ciphertextMeet Me At Central Park
    18. 18. 12.1.6. AESEncrytper:Members & Constructor/* Import Java Security & Crypto packages, I/O library */public class AESEncrypter { public static final int IV_SIZE = 16; // 128 bits public static final int KEY_SIZE = 16; // 128 bits public static final int BUFFER_SIZE = 1024; // 1KB Cipher cipher; /* Does encryption and decryption */ SecretKey secretKey; AlgorithmParameterSpec ivSpec; /* Initial Value – IV */ byte[] buf = new byte[BUFFER_SIZE]; byte[] ivBytes = new byte [IV_SIZE]; /* inits ivSpec */ public AESEncrypter(SecretKey key) throws Exception { cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); /* Use AES, pad input to 128-bit multiple */ secretKey = key; } // ... Methods Follow ...}
    19. 19. 12.1.6. AESEncrypter: encrypt()public void encrypt(InputStream in, OutputStream out) throws Exception { ivBytes = createRandBytes(IV_SIZE); // create IV & write to output out.write(ivBytes); ivSpec = new IvParameterSpec(ivBytes); cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec); // cipher initialized to encrypt, given secret key, IV // Bytes written to cipherOut will be encrypted CipherOutputStream cipherOut = new CipherOutputStream(out, cipher); // Read in the plaintext bytes and write to cipherOut to encrypt int numRead = 0; while ((numRead = in.read(buf)) >= 0) // read plaintext cipherOut.write(buf, 0, numRead); // write ciphertext cipherOut.close(); // padded to 128-bit multiple}
    20. 20. 12.1.6. AESEncryptor: decrypt()public void decrypt(InputStream in, OutputStream out) throws Exception { // read IV first System.in.read(ivBytes); ivSpec = new IvParameterSpec(ivBytes); cipher.init(Cipher.DECRYPT_MODE, secretKey, ivSpec); // cipher initialized to decrypt, given secret key, IV // Bytes read from in will be decrypted CipherInputStream cipherIn = new CipherInputStream(in, cipher); // Read in the decrypted bytes and write the plaintext to out int numRead = 0; while ((numRead = cipherIn.read(buf)) >= 0) // read ciphertext out.write(buf, 0, numRead); // write plaintext out.close();}
    21. 21. 12.1.6. AESEncryptor: main()public static void main (String[] args) throws Exception { if (args.length != 2) usage(); // improper usage, print error String operation = args[0]; // createkey|encrypt|decrypt String keyFile = args[1]; // name of key file if (operation.equals("createkey")) { FileOutputStream fos = new FileOutputStream(keyFile); KeyGenerator kg = KeyGenerator.getInstance("AES"); kg.init(KEY_SIZE*8); // key size in bits SecretKey skey = kg.generateKey(); fos.write(skey.getEncoded()); // write key fos.close(); } else { byte[] keyBytes = new byte[KEY_SIZE]; FileInputStream fis = new FileInputStream(keyFile); fis.read(keyBytes); // read key SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES"); AESEncrypter aes = new AESEncrypter(keySpec); // init w/ key if (operation.equals("encrypt")) { aes.encrypt(System.in, System.out); // Encrypt } else if (operation.equals("decrypt")) { aes.decrypt(System.in, System.out); // Decrypt } else usage(); // improper usage, print error }}
    22. 22. 12.1.6. AESEncryptor: Helpers/* Generate numBytes of random bytes to use as IV */public static byte[] createRandBytes(int numBytes) throws NoSuchAlgorithmException { byte[] bytesBuffer = new byte[numBytes]; SecureRandom sr = SecureRandom.getInstance("SHA1PRNG"); sr.nextBytes(bytesBuffer); return bytesBuffer;}/* Display error message when AESEncryptor improperly used */public static void usage () { System.err.println("java com.learnsecurity.AESEncrypter " + "createkey|encrypt|decrypt <keyfile>"); System.exit(-1);}
    23. 23. 12.1.6. AESEncryptor Recap Java class KeyGenerator can be used to construct strong, cryptographically random keys AESEncrypter: no integrity protection  Encrypted file could be modified  So in practice, should tag on a MAC  Use different keys for MAC and encryption Key Distribution is a challenge (c.f. Ch. 13-14)
    24. 24. 12.2. Stream Ciphers Much faster than block ciphers Encrypts one byte of plaintext at a time Keystream: infinite sequence (never reused) of random bits used as key Approximates theoretical scheme: one-time pad, trying to make it practical with finite keys
    25. 25. 12.2.1 One-Time Pad Key as long as plaintext, random stream of bits  Ciphertext= Key XOR Plaintext  Only use key once! Impractical having key the same size as plaintext (too long, incurs too much overhead) Theoretical Significance: “perfect secrecy” (Shannon) if key is random.  Under brute-force, every decryption equally likely  Ciphertext yields no info about plaintext (attacker’s a priori belief state about plaintext is unchanged)
    26. 26. 12.2.2. RC4 Most popular stream cipher: 10x faster than DES Fixed-size key “seed” to generate infinite stream State Table S that changes to create stream Ex: 256-bit key used to seed table (fill it) i = (i + 1) mod 256 i = (i + 1) mod 256 j = (j + S[i]) mod 256 j = (j + S[i]) mod 256 swap (S[i],S[j]) swap (S[i],S[j]) t = (S[i]+S[j]) mod 256 t = (S[i]+S[j]) mod 256 K = S[t] K = S[t]
    27. 27. 12.2.2. … and other ciphers… Source: http://xkcd.com/153/
    28. 28. 12.2.2. RC4 Pitfalls Never use the same key more than once! Clients & servers should use different RC4 keys! C -> S: P XOR k [Eve captures P XOR k]  S -> C: Q XOR k [Eve captures Q XOR k]  Eve: (P XOR k) XOR (Q XOR k) = P XOR Q!!!  If Eve knows either P or Q, can figure out the other Ex: Simple Mail Transfer Protocol (SMTP)  First string client sends server is HELO  Then Eve could decipher first few bytes of response
    29. 29. 12.2.2. More RC4 Pitfalls Initial bytes of key stream are “weak”  Ex: WEP protocol in 802.11 wireless standard is broken because of this  Discard first 256-512 bytes of stream Active Eavesdropper  Could flip bit without detection  Can solve by including MAC to protect integrity of ciphertext
    30. 30. 12.3. Steganography All ciphers transform plaintext to random bits Eve can tell Alice is sending sensitive info to Bob Conceal existence of secret message Use of a “covert channel” to send a message.
    31. 31. 12.3.1. What is Steganography? Study of techniques to send sensitive info and hide the fact that sensitive info is being sent Ex: “All the tools are carefully kept” -> Attack Other Examples: Invisible ink, Hidden in Images  Least significant bit of image pixels  Modifications to image not noticeable by an observer  Recipient can check for modifications to get message Red Green Blue 00000000 00000000 00000000 00000001 00000000 00000001 101
    32. 32. 12.3.2. Steganography vs.Cryptography Key Advantage: when Alice & Bob don’t want Eve to know that they’re communicating secrets Disadvantages compared to encryption  Essentially relying on security by obscurity  Useless once covert channel is discovered  High overhead (ratio of plain bits/secret bits high) Can be used together with encryption, but even more overhead (additional computation for both)
    33. 33. Summary Cryptography: encode & decode messages Applied to serve security goals (confidentiality) Symmetric Ciphers: Alice & Bob have same key  BlockCiphers: DES, AES (128-bit blocks at a time)  Stream Ciphers: OTP, RC4 (byte at a time, faster) Encrypting More Data: ECB & CBC Steganography: Attempt to hide that secrets are being communicated at all