Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”.
  • Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”.
  • Public key schemes are no more or less secure than private key schemes - in both cases the size of the key determines the security. Note also that you can't compare key sizes - a 64-bit private key scheme has very roughly similar security to a 512-bit RSA - both could be broken given sufficient resources. But with public key schemes at least there's usually a firmer theoretical basis for determining the security since its based on well-known and well studied number theory problems.
  • Both the prime generation and the derivation of a suitable pair of inverse exponents may involve trying a number of alternatives, but theory shows the number is not large.
  • RSA is the best known, and by far the most widely used general public key encryption algorithm.
  • These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.
  • The Birthday Attack exploits the birthday paradox – the chance that in a group of people two will share the same birthday – only 23 people are needed for a Pr>0.5 of this. Can generalize the problem to one wanting a matching pair from any two sets, and show need 2 m / 2 in each to get a matching m-bit hash. Note that creating many message variants is relatively easy, either by rewording or just varying the amount of white-space in the message.
  • MD5 is the current, and very widely used, member of Rivest’s family of hash functions.
  • The padded message is broken into 512-bit blocks, processed along with the buffer value using 4 rounds, and the result added to the input buffer to make the new buffer value. Repeat till run out of message, and use final buffer value as hash. nb. due to padding always have a full final block (with length in it).
  • Stallings Fig 12.1
  • MD4 is the precursor to MD5, and was widely used. It uses 3 instead of 4 rounds, and the round functions are a little simpler. In creating MD5 Rivest aimed to strengthen the algorithms by introducing the extra round, and varying the constants used.
  • Some progress has been made analysing MD5, which along with the hash size of 128-bits means its starting to look too small. Hence interest in hash functions that create larger hashes.
  • SHA is one of the newer generation of hash functions, more resistant to cryptanalysis, and now probably preferred for new applications.
  • Note that the SHA-1 Overview is very similar to that of MD5.
  • Compare using the design goals listed earlier. SHA-1 is probbaly the preferred hash function for new applications. Currently no problems are known with it.
  • See Stallings Tables 12.3 and 12.4 for details.
  • See Stallings Tables 12.3 and 12.4 for details.
  • 1

    1. 1. Lecture 1: Cryptography for Network Security Anish Arora CIS694K Introduction to Network Security
    2. 2. Symmetric encryption
    3. 3. Symmetric encryption requirements <ul><li>two requirements for secure use of symmetric encryption: </li></ul><ul><ul><li>a strong encryption algorithm </li></ul></ul><ul><ul><li>a secret key known only to sender / receiver </li></ul></ul><ul><ul><ul><li>y= S ‹ x › in notation of book : Y = E K ( X ) </li></ul></ul></ul><ul><ul><ul><li>x= S ‹ y › X = D K ( Y ) </li></ul></ul></ul><ul><li>assume encryption algorithm is known </li></ul><ul><li>implies a secure channel to distribute key </li></ul>
    4. 4. Block versus stream ciphers <ul><li>block ciphers divide messages into blocks, each is then en/decrypted </li></ul><ul><ul><ul><li>like a substitution on very big characters </li></ul></ul></ul><ul><ul><ul><li>64-bits or more </li></ul></ul></ul><ul><ul><ul><li>would need table of 2 64 entries for a 64-bit block </li></ul></ul></ul><ul><ul><ul><li>instead create from smaller building blocks </li></ul></ul></ul><ul><ul><ul><li>using idea of a product cipher </li></ul></ul></ul><ul><ul><ul><ul><li>substitution (S-box) provides confusion </li></ul></ul></ul></ul><ul><ul><ul><ul><li>permutation (P-box) provides diffusion </li></ul></ul></ul></ul><ul><li>stream ciphers process messages a bit or byte at a time </li></ul><ul><ul><ul><li>typically have a (pseudo) random stream key </li></ul></ul></ul>
    5. 5. Block versus stream ciphers … contd <ul><ul><ul><li>key should satisfy </li></ul></ul></ul><ul><ul><ul><ul><li>statistical uniformity: of distribution of numbers in sequence </li></ul></ul></ul></ul><ul><ul><ul><ul><li>unpredictability: of successive members of sequence </li></ul></ul></ul></ul><ul><ul><ul><li>randomness of key destroys statistical properties in message </li></ul></ul></ul><ul><ul><ul><li>but must not reuse stream key </li></ul></ul></ul><ul><ul><ul><li>e.g. RC4 used in SSL and WEP </li></ul></ul></ul><ul><li>many current ciphers are block ciphers </li></ul><ul><li>many symmetric block ciphers use Feistel Cipher Structure </li></ul>
    6. 6. Fesitel schema for symmetric encryption <ul><li>Overall processing at each iteration: use two 32-bit halves L and R </li></ul><ul><ul><ul><li>Li = Ri-1 </li></ul></ul></ul><ul><ul><ul><li>Ri = Li-1  F(Ri-1, Ki) </li></ul></ul></ul>
    7. 7. Data Encryption Standard (DES) <ul><li>A widely used symmetric encryption scheme </li></ul><ul><li>Algorithm is referred to as Data Encryption Algorithm (DEA) </li></ul><ul><li>DES is a block cipher </li></ul><ul><li>Plaintext is processed in 64-bit blocks </li></ul><ul><li>Key is usually 56-bits in length </li></ul><ul><li>n rounds, in each </li></ul><ul><ul><li>every block first undergoes key-based substitution </li></ul></ul><ul><ul><li>then all blocks are collated and undergo key-based permutation </li></ul></ul><ul><li>Easy in hardware, slow in software </li></ul><ul><ul><li>selection of block size, key size, #rounds, round function, subkey generation scheme trades off security vs speed </li></ul></ul>
    8. 8. The function F in DES <ul><li>takes 32-bit R half & 48-bit subkey and: </li></ul><ul><ul><li>expands R to 48-bits using perm E </li></ul></ul><ul><ul><li>adds to subkey </li></ul></ul><ul><ul><li>passes through 8 S-boxes to get 32-bit result </li></ul></ul><ul><ul><li>finally permutes this using 32-bit perm P </li></ul></ul>
    9. 9. DEA Decryption runs backward
    10. 10. DES History <ul><li>IBM developed Lucifer cipher </li></ul><ul><ul><li>by team led by Feistel </li></ul></ul><ul><ul><li>used 64-bit data blocks with 128-bit key </li></ul></ul><ul><li>Then redeveloped as a commercial cipher with input from NSA & others </li></ul><ul><li>In 1973, NBS issued request for proposals for a national cipher standard </li></ul><ul><li>IBM submitted their revised Lucifer which was eventually accepted as the DES </li></ul><ul><li>DES standard is public </li></ul><ul><li>But there has been considerable controversy over design </li></ul><ul><ul><li>in choice of 56-bit key (vs original Lucifer 128-bit) </li></ul></ul><ul><ul><li>and because design criteria were classified </li></ul></ul>
    11. 11. Breaking DES
    12. 12. Concerns about DEA <ul><li>Key length of only 56-bits is insufficient </li></ul><ul><li>Even with larger keys, breaking is feasible if you have </li></ul><ul><ul><li>known plaintext or have repeated encryptions </li></ul></ul><ul><ul><ul><li>generally these are statistical attacks </li></ul></ul></ul><ul><ul><li>access to timing or power consumption information </li></ul></ul><ul><ul><ul><li>use knowledge of implementation to derive subkey bits </li></ul></ul></ul><ul><ul><ul><li>exploit fact that calculations take varying times based on input value </li></ul></ul></ul><ul><ul><ul><li>particularly problematic on smartcards </li></ul></ul></ul>
    13. 13. Weaknesses in DES <ul><li>DES has Weak and Semi-Weak Keys: The round key construction is such that </li></ul><ul><ul><li>Any key comprising All 0s, All 1s, Alternating 0s and 1a, or Alternating 1s and 0s is its own inverse (these are the 4 weak keys) </li></ul></ul><ul><ul><li>The set of keys composed of two halves each of the above sorts is such that each key has an inverse in this set (these are 12 semi-weak keys) </li></ul></ul><ul><li>Complement key property means that brute force search for DES is of complexity 2 55 , not 2 56 </li></ul>
    14. 14. DES Electronic Code Book <ul><li>In encryption via ECB, repeated 64-bit blocks are identically encrypted </li></ul><ul><li>ECB attackers who know the data structure (e.g. fields such as salary ) can reorder blocks while preserving structure </li></ul>
    15. 15. Cipher Block Chaining <ul><li>To overcome ECB weakness, add (i.e. XOR) a random number to each 64-bit block being encrypted, and additionally communicate the random number in the clear </li></ul><ul><li>This is inefficient </li></ul><ul><li>Approximation: only communicate the initial random number, and derive the successive random numbers from the previously encrypted message </li></ul><ul><ul><li>Initial random number is called the initialization vector </li></ul></ul><ul><ul><li>Default IV s, such as All Zeroes, can be used, but is insecure for repeated transmissions of the same message sequence </li></ul></ul>
    16. 16. Cipher Block Chaining <ul><li>Improvement over ECB: XOR a random number to each 64-bit block being encrypted, & communicate the random number in the clear </li></ul><ul><li>An optimization: communicate only the initial random number, & derive successive numbers from previously encrypted message </li></ul><ul><ul><li>initial random number is called the initialization vector </li></ul></ul><ul><ul><li>use default IV s, such as All Zeroes, can be used, but this is insecure for repeated transmissions of the same message sequence </li></ul></ul>
    17. 17. A CBC threat <ul><li>If message structure is known, intruder can systematically ensure that a modified message is delivered, by changing the previous ciphertext </li></ul><ul><ul><ul><li>but then the previous plaintext is deciphered in a way not controlled by intruder </li></ul></ul></ul><ul><li>An alternative to CBC is the Counter Mode (CTR): </li></ul><ul><li>precompute encryptions of a counter value and XOR with successive messages (this method enjoys parallelism) </li></ul>
    18. 18. Multiple DES, 3DES <ul><li>Two successive encryptions with different keys are better than one 56 bit key </li></ul><ul><ul><li>E 2 .E 1 to encrypt and D 2 .D 1 to decrypt </li></ul></ul><ul><ul><li>Combinatorially, two keys yields more permutations than those possible with one key </li></ul></ul><ul><ul><li>However, meet-in-the-middle cryptanalysis reduces complexity of attack to 2 56 , so net improvement is not large </li></ul></ul><ul><li>3DES uses two keys: E 1 .D 2 .E 1 to encrypt and D 1 .E 2 .D 1 to decrypt </li></ul><ul><ul><li>or three keys: E 3 .D 2 .E 1 to encrypt and D 3 .E 2 .D 1 to decrypt </li></ul></ul>
    19. 19. Other symmetric block ciphers <ul><li>Blowfish </li></ul><ul><ul><li>Easy to implement </li></ul></ul><ul><ul><li>High execution speed </li></ul></ul><ul><ul><li>Run in less than 5K of memory </li></ul></ul><ul><ul><li>Uses a 32 to 448 bit key </li></ul></ul><ul><li>RC5 </li></ul><ul><ul><li>Suitable for hardware and software </li></ul></ul><ul><ul><li>Fast, simple, but proprietary </li></ul></ul><ul><ul><li>Adaptable to processors of different word lengths </li></ul></ul><ul><ul><li>Variable number of rounds </li></ul></ul><ul><ul><li>Variable-length key </li></ul></ul><ul><ul><li>Low memory requirement </li></ul></ul><ul><ul><li>High security </li></ul></ul><ul><ul><li>Data-dependent rotations </li></ul></ul>
    20. 20. AES <ul><li>AES, Elliptic Curve, IDEA, Public Key cryptography concern numbers & finite fields </li></ul><ul><li>US NIST issued call for ciphers in 1997 </li></ul><ul><ul><li>15 candidates accepted in Jun 98 </li></ul></ul><ul><ul><li>5 were shortlisted in Aug 99 </li></ul></ul><ul><ul><li>Rijndael was selected as the AES in Oct 2000 </li></ul></ul><ul><ul><li>issued as a standard in Nov 2001 </li></ul></ul><ul><li>Symmetric block cipher, 128-bit data, 128/192/256-bit keys </li></ul><ul><ul><li>provide full specification & design details </li></ul></ul><ul><ul><li>both C & Java implementations </li></ul></ul><ul><ul><li>NIST have released all submissions & unclassified analyses </li></ul></ul><ul><ul><li>iterative (vs feistel) cipher, operates on entire block per round </li></ul></ul>
    21. 21. Asymmetric encryption: Public key cryptography
    22. 22. Security of public key schemes <ul><li>brute force attacks infeasible since keys used are too large (> 512bits) </li></ul><ul><li>security relies on a large computation difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems </li></ul><ul><li>the hard problem is generally known, it’s just made too hard to do in practice </li></ul><ul><li>requires the use of very large numbers </li></ul><ul><li>hence is slow compared to private key schemes </li></ul>
    23. 23. Background <ul><li>Asymmetric cryptography invented by Diffie and Helman ’76 </li></ul><ul><li>3 categories of uses: </li></ul><ul><ul><li>encryption/decryption (provide secrecy) </li></ul></ul><ul><ul><li>digital signatures (provide authentication) </li></ul></ul><ul><ul><li>key exchange (of session keys) </li></ul></ul>
    24. 24. Authentication using public keys
    25. 25. RSA <ul><li>To encrypt a message M the sender: </li></ul><ul><ul><li>obtain public key of recipient KU={e,N} </li></ul></ul><ul><ul><li>computes: C=M e mod N , where 0 ≤ M < N </li></ul></ul><ul><li>To decrypt the ciphertext C the receiver: </li></ul><ul><ul><li>uses its private key KR={d,p,q} </li></ul></ul><ul><ul><li>computes: M=C d mod N </li></ul></ul><ul><li>Message M is smaller than modulus N (so block if needed) </li></ul>
    26. 26. RSA key generation <ul><li>1: determine two primes at random - p, q </li></ul><ul><li>primes p,q must not be easily derived from mod N=p.q </li></ul><ul><ul><li>means must be sufficiently large </li></ul></ul><ul><ul><li>typically guess and use probabilistic test </li></ul></ul><ul><li>2: select either e or d and compute the other </li></ul><ul><li>exponents e , d are inverses </li></ul>
    27. 27. RSA (contd.) <ul><li>Due to Rivest, Shamir & Adleman of MIT in 1977 </li></ul><ul><li>Best known & widely used public-key scheme </li></ul><ul><li>Based on exponentiation in a finite (Galois) field over integers modulo a prime </li></ul><ul><ul><li>exponentiation takes O((log n) 3 ) operations (easy) </li></ul></ul><ul><li>Uses large integers (e.g. 1024 bits) </li></ul><ul><li>Security due to cost of factoring large numbers </li></ul><ul><ul><li>factorization takes O(e log n log log n ) operations (hard) </li></ul></ul><ul><ul><li>barring dramatic breakthrough 1024+ bit RSA secure </li></ul></ul><ul><li>Timing attacks possible </li></ul><ul><ul><li>exploit time taken in exponentiation to infer operands </li></ul></ul><ul><ul><li>countermeasures </li></ul></ul><ul><ul><ul><li>use constant exponentiation time, add random delays </li></ul></ul></ul>
    28. 28. Hash functions <ul><li>a hash function produces a fingerprint of some file/message/data </li></ul><ul><ul><li>h = H(M) </li></ul></ul><ul><ul><li>condenses a variable-length message M </li></ul></ul><ul><ul><li>to a fixed-sized fingerprint </li></ul></ul><ul><li>usually assume that the hash function is public, not keyed </li></ul><ul><ul><li>cf. MAC which is keyed </li></ul></ul><ul><li>hash used to detect changes to message </li></ul><ul><li>can use in various ways with message </li></ul><ul><li>most often to create a digital signature, or fingerprint </li></ul>
    29. 29. Requirements for hash functions <ul><li>can be applied to any sized message M </li></ul><ul><li>produces fixed-length output h </li></ul><ul><li>is easy to compute h=H(M) for any message M </li></ul><ul><li>given h is infeasible to find x s.t. H(x)=h </li></ul><ul><ul><li>one-way property </li></ul></ul><ul><li>given x is infeasible to find y s.t . H(y)=H(x) </li></ul><ul><ul><li>weak collision resistance </li></ul></ul><ul><li>is infeasible to find any x,y s.t . H(y)=H(x) </li></ul><ul><ul><li>strong collision resistance </li></ul></ul>
    30. 30. Simple hash functions <ul><li>there are several proposals for simple functions, based on XOR of message blocks: </li></ul><ul><ul><li>e.g. longitudinal redundancy check: </li></ul></ul><ul><ul><ul><li>xor of columns of n-bit block arranged in rows </li></ul></ul></ul><ul><ul><li>e.g. above+ circular left shift of hash after each row </li></ul></ul><ul><ul><ul><li>effect of rotated XOR (RXOR) is to randomize the input </li></ul></ul></ul><ul><li>but these lack weak collision resistance </li></ul><ul><ul><li>simply “add a block” to obtain desired hash </li></ul></ul><ul><li>need a stronger cryptographic function </li></ul>
    31. 31. Birthday attacks imply need longer hash values <ul><li>You might think a 64-bit hash is secure </li></ul><ul><li>but by Birthday Paradox is not </li></ul><ul><li>birthday attack works thus: </li></ul><ul><ul><li>opponent generates 2 m / 2 variations of a valid message all with essentially the same meaning </li></ul></ul><ul><ul><li>opponent also generates 2 m / 2 variations of a desired fraudulent message </li></ul></ul><ul><ul><li>two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) </li></ul></ul><ul><ul><li>have user sign the valid message, then substitute the forgery which will have a valid signature </li></ul></ul><ul><li>conclusion is that need to use longer hash values </li></ul><ul><li>also, you might wish to change every message you sign ! </li></ul>
    32. 32. Hash algorithms <ul><li>similarities in evolution of hash functions & block ciphers </li></ul><ul><ul><li>increasing power of brute-force attacks led to evolution in algorithms </li></ul></ul><ul><ul><ul><li>from DES to AES in block ciphers </li></ul></ul></ul><ul><ul><ul><li>from MD4 & MD5 to SHA-1 in hash algorithms </li></ul></ul></ul><ul><li>likewise tend to use common iterative structure as do block ciphers </li></ul><ul><ul><li>iteration of collision-resistant round compression function preserves collision resistance </li></ul></ul><ul><li>good round functions should have an avalanche effect </li></ul><ul><ul><li>small changes in input should have large changes in output </li></ul></ul>
    33. 33. Block ciphers as hash functions <ul><li>can use block ciphers as hash functions </li></ul><ul><ul><li>using H 0 =0 and zero-pad of final block </li></ul></ul><ul><ul><li>compute: H i = E M i [H i-1 ] </li></ul></ul><ul><ul><li>and use final block as the hash value </li></ul></ul><ul><ul><li>similar to cipher block chaining but without a key </li></ul></ul><ul><li>but resulting hash should not be too small (64-bit) </li></ul><ul><li>like block ciphers have brute-force attacks, and a number of analytic attacks on iterated hash functions </li></ul>
    34. 34. MD5 <ul><li>designed by Ronald Rivest (the R in RSA) </li></ul><ul><li>latest in a series of MD2, MD4 </li></ul><ul><li>produces a 128-bit hash value </li></ul><ul><li>until recently was the most widely used hash algorithm </li></ul><ul><ul><li>in recent times had both brute-force & cryptanalytic concerns </li></ul></ul><ul><li>specified as Internet standard RFC1321 </li></ul>
    35. 35. MD5 overview <ul><li>pad message so its length is 448 mod 512 </li></ul><ul><li>append a 64-bit length value to message </li></ul><ul><li>initialise 4-word (128-bit) MD buffer (A,B,C,D) </li></ul><ul><li>process message in 16-word (512-bit) blocks: </li></ul><ul><ul><li>using 4 rounds of 16-bit operations on message block & buffer </li></ul></ul><ul><ul><li>add output to buffer input to form new buffer value </li></ul></ul><ul><li>output hash value is the final buffer value </li></ul>
    36. 36. MD5 overview
    37. 37. MD4 <ul><li>precursor to MD5 </li></ul><ul><li>also produces a 128-bit hash of message </li></ul><ul><li>has 3 rounds of 16 steps vs 4 in MD5 </li></ul><ul><li>design goals: </li></ul><ul><ul><li>collision resistant (hard to find collisions) </li></ul></ul><ul><ul><li>direct security (no dependence on &quot;hard&quot; problems) </li></ul></ul><ul><ul><li>fast, simple, compact </li></ul></ul><ul><ul><li>favours little-endian systems (e.g., PCs) </li></ul></ul>
    38. 38. Strength of MD5 <ul><li>MD5 hash is dependent on all message bits </li></ul><ul><li>Rivest claimed security is as strong as can be with 128 bit code </li></ul><ul><li>known attacks are: </li></ul><ul><ul><li>Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend) </li></ul></ul><ul><ul><li>Boer & Bosselaers 93 found a pseudo collision (again unable to extend) </li></ul></ul><ul><ul><li>Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit) </li></ul></ul><ul><ul><li>conclusion was that MD5 should be vulnerable soon </li></ul></ul><ul><li>In 2004, an attack was found </li></ul>
    39. 39. Secure Hash Algorithm (SHA-1) <ul><li>SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1 </li></ul><ul><li>US standard for use with DSA signature scheme </li></ul><ul><ul><li>standard is FIPS 180-1 1995, also Internet RFC3174 </li></ul></ul><ul><ul><li>nb. the algorithm is SHA, the standard is SHS </li></ul></ul><ul><li>produces 160-bit hash values </li></ul><ul><li>now the generally preferred hash algorithm </li></ul><ul><li>based on design of MD4 with key differences </li></ul>
    40. 40. SHA overview <ul><li>pad message so its length is 448 mod 512 </li></ul><ul><li>append a 64-bit length value to message </li></ul><ul><li>initialise 5-word (160-bit) buffer (A,B,C,D,E) to </li></ul><ul><ul><li>(67452301,efcdab89,98badcfe,10325476,c3d2e1f0) </li></ul></ul><ul><li>process message in 16-word (512-bit) chunks: </li></ul><ul><ul><li>expand 16 words into 80 words by mixing & shifting </li></ul></ul><ul><ul><li>use 4 rounds of 20 bit operations on message block & buffer </li></ul></ul><ul><ul><li>add output to input to form new buffer value </li></ul></ul><ul><li>output hash value is the final buffer value </li></ul>
    41. 41. SHA-1 verses MD5 <ul><li>brute force attack is harder (160 vs 128 bits for MD5) </li></ul><ul><li>not vulnerable to any known attacks (compared to MD4/5) </li></ul><ul><li>a little slower than MD5 (80 vs 64 steps) </li></ul><ul><li>both designed as simple and compact </li></ul><ul><li>optimised for big endian CPU's (vs MD5 which is optimised for little endian CPU’s) </li></ul>
    42. 42. Revised secure hash standard <ul><li>NIST have issued a revision FIPS 180-2 </li></ul><ul><li>adds 3 additional hash algorithms </li></ul><ul><li>SHA-256, SHA-384, SHA-512 </li></ul><ul><li>designed for compatibility with increased security provided by the AES cipher </li></ul><ul><li>structure & detail is similar to SHA-1 </li></ul><ul><li>hence analysis should be similar </li></ul>
    43. 43. Reading on Crypto <ul><li>Comparable to the extent covered in class, read </li></ul><ul><li>Chapter 3: 3.1-3.4, 3.6 </li></ul><ul><li>Chapter 5: 5.1 </li></ul><ul><li>Chapter 6: 6.2-6.5 </li></ul><ul><li>Chapter 7: 7.4 </li></ul><ul><li>Chapter 9: 9.1-9.2 </li></ul><ul><li>Chapter 11: 11.4-11.5 </li></ul><ul><li>Chapter 12: 12.1-12.2 </li></ul>