Upcoming SlideShare
×

# Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

787 views

Published on

Second session in Applied Cryptography course held at AMC Theater in Tyson's Corner (http://www.mightbeevil.com/crypto).

Generating keys for symmetric ciphers (randomness)
Cipher modes
Using symmetric ciphers for authentication

Published in: Technology, Education
1 Like
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
787
On SlideShare
0
From Embeds
0
Number of Embeds
118
Actions
Shares
0
16
0
Likes
1
Embeds 0
No embeds

No notes for slide

### Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

1. 1. Stephen Kleene
2. 2. Engineering Cryptographic Applications Day 2: Using (and Misusing) Symmetric Ciphers David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 11 October 2013
3. 3. Recap: Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m), it is “hard” to learn anything interesting about m. “hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions evans@virginia.edu Engineering Crypto Applications 2
4. 4. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key evans@virginia.edu Key Engineering Crypto Applications 3
5. 5. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key 1. How to generate a good (unpredictable) key: randomness 2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server evans@virginia.edu Engineering Crypto Applications 4
6. 6. Generating Randomness evans@virginia.edu Engineering Crypto Applications 5
7. 7. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 1011000100011 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 Which is random? 0001110111000 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 6
8. 8. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 C1 with sequences of 5 or more 1011000100011 C1 from Puzzle Challenge repeated symbols modified (message Crypto.Random) 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 0001110111000 random? Which is 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 7
9. 9. Which is random? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 8
10. 10. Which is random? random.org PHP rand() (atmospheric noise) (on Windows) Which should you use to generate cyrptographic keys? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 9
11. 11. Defining Non-Randomness If you can find any predictable patterns in the sequence, it is definitely not random. evans@virginia.edu I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that. Supreme Court Justice Potter Stewart (or pornography) Engineering Crypto Applications 10
12. 12. Defining Randomness й ров Andrey Kolmogorov (1903-1987) For a sequence s, its Kolmogorov Complexity K(s) = the length of the shortest description of s A sequence s is random, if K(s) = |s| + C (This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.) evans@virginia.edu Engineering Crypto Applications “He was to probability theory what Euclid was to geometry.” (Peter Lax) 11
13. 13. Kolmogorov Complexities s = 000000000000000… evans@virginia.edu Engineering Crypto Applications 12
14. 14. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… evans@virginia.edu Engineering Crypto Applications 13
15. 15. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… description = “t = “”; int for (i = 1; for (j = for (j = i, j; i < N; i++) { 0; j < i; j++) t += „0‟; 0; j < i; j++) t += „1‟; }” K(s) = log |s| + C1 < |s| + C evans@virginia.edu Engineering Crypto Applications 14
16. 16. Kolmogorov Complexities r=010110000111101100001110111010000000011101 100000001110110110010111110011011110010000011 100000011101110000000111010100100010100000101 000010011101110111111110011000101… "from Crypto.Random import random def random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation) Hmmm…maybe answer from earlier slide was wrong! evans@virginia.edu Engineering Crypto Applications 15
17. 17. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? evans@virginia.edu Engineering Crypto Applications 16
18. 18. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? 1 2 3 4 5 The smallest natural number that 6 7 8 9 10 11 cannot be described in eleven words. evans@virginia.edu Engineering Crypto Applications 17
19. 19. Randomness is Essential • Kolmogorov provides a definition of randomness but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible) • Impossible for a program to generate true randomness: program can generate longer sequence than itself • There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses evans@virginia.edu Engineering Crypto Applications 18
20. 20. Amplifying Physical Randomness Pseudo-Random Number Generator k = f(physical randomness) 0 AES 1 k AES 2 3 k k output AES output output Every once in a while, compute a new k using new physical randomness. evans@virginia.edu Engineering Crypto Applications 19
21. 21. NIST SP 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (2006) evans@virginia.edu Engineering Crypto Applications 20
22. 22. Dual-EC PRNG s0  physical randomness si +1= φ(si P) Update Internal State evans@virginia.edu P and Q are points on an elliptic curve ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 21
23. 23. Elliptic Curves y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 22
24. 24. Elliptic Curves P+Q y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = negate intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P evans@virginia.edu Engineering Crypto Applications P Q 23
25. 25. Elliptic Curves Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP. y2 = x3 – 7 (mod p) P + Q = point on curve where line PQ intersects kP = P + P + … + P (multiplication is just repeated addition) evans@virginia.edu Engineering Crypto Applications 24
26. 26. Curve Used by Dual-EC PRNG NIST P-256 y2 = x3 + ax + b (mod p) 256 − 2224 + 2192 + 296 − 1 p=2 a=p−3= b= 115792089210356248762697446949407573530086143415290314195533631308867097853948 41058363725152142129326129780047268409114441015993725554835256314039467401291 Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers. evans@virginia.edu Engineering Crypto Applications 25
27. 27. Why would anyone use Elliptic Curves as basis for PRNG? • Easier to plant a back-door in it than designs based on symmetric ciphers • Can be used to provide provable security properties based on number theory – But not done for Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 26
28. 28. Dual-EC PRNG Proposed as NIST standard (2005) s0  randomness P and Q are (random?) points on P-256. si +1= φ(si P) Update Internal State evans@virginia.edu ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 27
29. 29. Image credit: Matthew Green OpenSSL-FIPS Implementation (using NIST P and Q values) evans@virginia.edu Engineering Crypto Applications 28
30. 30. “Rump session” talk at CRYPTO 2007: You can choose Q such that: Q = dP then, it is easy to find e such that: P = eQ and then easy to learn state of PRNG from just one output! evans@virginia.edu Engineering Crypto Applications 29
31. 31. Shumow and Ferguson’s conclusion: evans@virginia.edu Engineering Crypto Applications 30
32. 32. Snowden Leak (5 September 2013) 2013 Intelligence Budget Request (\$250M) 2013 Intelligence Budget Request evans@virginia.edu Engineering Crypto Applications 31
33. 33. September 2013 evans@virginia.edu Engineering Crypto Applications 32
34. 34. evans@virginia.edu Engineering Crypto Applications 33
35. 35. evans@virginia.edu Engineering Crypto Applications 34
36. 36. Randomness Summary • All cryptosystems depend on randomness • No way to test is a value is really random • Physical randomness is limited: need algorithms to amplify physical randomness • If you pseudorandom numbers are predictable, all is (almost always) lost evans@virginia.edu Engineering Crypto Applications 35
37. 37. Building an Encrypted File System evans@virginia.edu Engineering Crypto Applications 36
38. 38. Scenario • Documents about plan to overthrow government stored on (easily-stolen) device • Password/biometric-protected (assume that works, for now) Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage evans@virginia.edu Engineering Crypto Applications 37
39. 39. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k Encrypt each block with k evans@virginia.edu Engineering Crypto Applications 38
40. 40. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k If two blocks have the same plaintext, with ECB they have the same ciphertext! evans@virginia.edu Engineering Crypto Applications 39
41. 41. Block Size 128 bits = 16 bytes "Benjamin Frankli" (16 characters) Almanack Mail pennsylvannians.txt declaration.txt evans@virginia.edu Engineering Crypto Applications 40
42. 42. Time-Space Tradeoffs No-memory brute force attack: known crib AES known ciphertext Try all keys until you find one that fits evans@virginia.edu Engineering Crypto Applications Memory: 0 Time: 2127 encryptions (1T nuclear mega-bombs) 41
43. 43. Time-Space Tradeoffs No-time (not) brute force attack: key AESkey(crib) 000…000 000…001 7ebc5137da5ff2 … Pre-compute table: 4d7b9328a582c … Break intercepted ciphertext message: one table lookup! evans@virginia.edu sort by ciphertext Time: 1 Memory: 2132 bytes ~\$2 Decillion (1033) Engineering Crypto Applications 42
44. 44. Won’t quite work like this for AES, but with some more tricks. Combination: Rainbow Tables Precompute: known crib AES Only store these: ciphertext 1 AES … AES ciphertext 264 … … known crib AES ciphertext 1 AES … AES ciphertext 264 Time: 264 Memory: 268 bytes (~\$137 Trillion) evans@virginia.edu Engineering Crypto Applications 43
45. 45. 16 October 2013 University of Virginia cs4414 44
46. 46. NSA Meltdown? “Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.) 45
47. 47. Cipher Block Chaining Mode (CBC) block 2 block 3 block 4 Initialization Vector block 1 AES AES AES evans@virginia.edu AES block 1 k block 2 block 3 block 4 Engineering Crypto Applications 46
48. 48. Cipher Block Chaining Mode block 2 block 3 block 4 Initialization Vector block 1 AES AES AES AES block 1 k block 2 block 3 block 4  Avoids leaking repeated plaintexts − Cannot encrypt in parallel evans@virginia.edu Engineering Crypto Applications 47
49. 49. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter block 1 k block 2 block 1 evans@virginia.edu AES AES k Increase counter for each block block 2 Engineering Crypto Applications 48
50. 50. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter AES AES k k block 1 Increase counter for each block block 2  Avoids leaking repeated plaintexts  Can encrypt and decrypt in parallel ⁇ Systematic input block 1 evans@virginia.edu block 2 Engineering Crypto Applications 49
51. 51. How should our young subversive store master key k and (per-file) nonces? evans@virginia.edu Engineering Crypto Applications 50
52. 52. Storing the Key (?) AES k Human-Remembered 4-Digit PIN evans@virginia.edu Engineering Crypto Applications stored encrypted k 0704 51
53. 53. Maybe this could work with a tamper-proof device? evans@virginia.edu Engineering Crypto Applications 52
54. 54. R2B2: \$200 robot that can try all 10000 fourdigit PINs in < 20 hours evans@virginia.edu Engineering Crypto Applications 53
55. 55. Higher Entropy Passwords AES k Human-Remembered Long Password evans@virginia.edu stored encrypted k (44 bits of entropy) Engineering Crypto Applications 54
56. 56. Scaling Work repeat 1000 times k Human-Remembered Long Password evans@virginia.edu stored 1000x encrypted k AES (44 bits of entropy) Engineering Crypto Applications 55
57. 57. repeat 1000 times k AES stored 1000x encrypted k Scaling Work (44 bits of entropy) Time for one AES: 10 ms Time for 244 AESs: 5000 years (or 2 days with 1Mx computing power) Time for 1000x AES: 10 s Time for 244 1000x AES: 5M years evans@virginia.edu Engineering Crypto Applications 56
58. 58. Scaling to a Web Service evans@virginia.edu Engineering Crypto Applications 57
59. 59. http://epetitions.direct.gov.uk/ evans@virginia.edu Engineering Crypto Applications 58
60. 60. http://petitions.whitehouse.gov evans@virginia.edu Engineering Crypto Applications 59
63. 63. Encrypted Passwords Scheme UserID benf Password AESK(flyakite) samadams AESK(beer) tj AESK(Monti07cello04) … Master key K Store passwords encrypted using K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 62
64. 64. Encrypted Passwords Scheme UserID benf Password FAIL Master key K AES (beer) Store passwords someone who gets encrypted using K AES (Monti07cello04) password file and K … learns all passwords AESK(flyakite) samadams tj K K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 63
65. 65. Hashed Passwords Scheme UserID benf Password AESflyakite(0) samadams AESbeer(0) tj AESMonti07cello04(0) … Store passwords by using them as key to encrypt 0 … authentication check: AESguess(0) == users[userID].password evans@virginia.edu Engineering Crypto Applications 64
66. 66. Hashed Passwords Scheme UserID benf Password AESflyakite(K) FAIL samadams AESbeer(K) tj AESMonti07cello04(K) … … Master key K Store passwords by using them to encrypt K authentication check: AESguess(K) == users[userID].password evans@virginia.edu Engineering Crypto Applications 65
67. 67. “If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. evans@virginia.edu Engineering Crypto Applications 66
68. 68. 86% of users are dumb Single ASCII character Two characters 0.5% 2% Three characters 14% Four alphabetic letters 14% Five same-case letters 21% Six lowercase letters 18% Words in dictionaries or names 15% Other (possibly good passwords) 14% (Morris/Thompson 79) evans@virginia.edu Engineering Crypto Applications 67
69. 69. Dictionary Attacks Seed list All 1-4 letter words List of common (dog) names Words from dictionary (4M words, 20+ languages) Phone numbers, dates, etc. Rules for generating passwords http://www.openwall.com/john/ Combining words from seed list Inserting numbers, symbols Anything written in any popular Replacing “l” with “1”, password advice document! “ate” with “8”, etc. evans@virginia.edu Engineering Crypto Applications 68
70. 70. Aside: My 3-Word Password Advice Unimportant Passwords: use “silly” (protect service, not user) Important Passwords: Write them down (but somewhat obfuscated and in a secure place) If you can memorize it, it is not secure! (unless you have a well-trained memory) evans@virginia.edu Engineering Crypto Applications 69
71. 71. Making Dictionary Attacks Harder UserID benf Password AESflyakite(0) Password AESflyakite1000(0) samadams AESbeer(0) AESbeer1000 (0) tj AESMonti07cello04(0) AESMonti07cello041000(0) … … … 1. Use a more expensive cryptographic hash function evans@virginia.edu Engineering Crypto Applications 70
72. 72. Making Dictionary Attacks Harder UserID Salt (16 bits) Password benf 52455 AESflyakite1000(52455) samadams 50757 AESbeer1000 (50757) AESMonti07cello041000(47101 AES x 1000 makes dictionary attack 1000 times harder ) 16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder) … … tj 47101 2. Add “salt” – randomly selected (but non-secret) value for each user evans@virginia.edu Engineering Crypto Applications 71
73. 73. Two Big Problems Remaining: 1. Users are still morons evans@virginia.edu Engineering Crypto Applications 72
74. 74. Two Big Problems Remaining: 1. Users are still morons (Solving Auditors calledscope of employees and this is outside 100 IRS this class.) managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said. GAO Audit of IRS (2005) evans@virginia.edu Engineering Crypto Applications 73
75. 75. Two Big Problems Remaining: 2. Transmitting password Insecure Channel petitions.gov How does TJ know he’s really talking to petitions.gov? How can he establish a secure channel to transmit password? evans@virginia.edu Engineering Crypto Applications 74
76. 76. Plan for Next Week Solving these problems using asymmetric cryptography: - Public key cryptosystems - Digital signatures - Public key protocols (TLS) open to requests! evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 75
77. 77. evans@virginia.edu Engineering Crypto Applications 76