4. Recap: Basic Techniques
■ Substitution
■ Substitute PT units
■ è S-Box
■ Transposition
■ Permutation of PT units
■ è P-Box
■ Product cipher
■ Combination of substitution and transposition functions
■ Realization with S-Boxes and P-Boxes
T. Zseby, VU Network Security 4
6. Perfect vs. Computational Security
■ Perfect security
■ Against adversary with unlimited computing power
■ Impossible to crack cipher
■ Computational security
■ Assume adversaries with limited computing power
■ Possible to crack cipher, but not with reasonable effort
■ Design ciphers that are hard to crack
■ New inventions may violate assumptions
■ Faster hardware
■ Better algorithms
■ Quantum computers
T. Zseby, VU Network Security 6
7. Kerckhoffs's Principle (1883)
■ Cipher system must be
■ practically (if not mathematically) indecipherable
■ not required to be secret and able to fall into the hands of the enemy
without inconvenience
■ key must be communicable and retainable without the help of written
notes, and changeable or modifiable at the will of the correspondents
■ applicable to telegraphic correspondence
■ portable, and its usage and function must not require the concourse of
several people
■ easy to use (requiring neither mental strain nor the knowledge of a long
series of rules to observe)
■ Shannons Maxim: “The enemy knows the system.”
èno “security by obscurity”
T. Zseby, VU Network Security 7
Source: A. Kerckhoffs: La cryptographie militaire. Journal des sciences militaires. Feb. 1883
8. Cryptanalysis
■ Power of adversary
■ Resources available to adversary
■ Information available to adversary
■ Resources
■ Assumption: limited resources (computational security)
■ processing, memory, time
■ è consider computational complexity of cracking a
cipher
T. Zseby, VU Network Security 8
9. Information Available to Adversary
■ Ciphertext-only attack
■ Adversary has access to set of ciphertexts
■ e.g. from eavesdropping messages exchanged between A and B
■ Known-plaintext attack
■ Adversary has access to set of ciphertexts to which he knows the
corresponding plaintext
■ Chosen Plaintext Attack
■ Adversary can obtain ciphertexts for an arbitray set of plaintexts that he
selected
■ Chosen Ciphertext Attack
■ Adversary can obtain plaintexts for an arbitray set of ciphertexts that he
selected
T. Zseby, VU Network Security 9
10. Information Available to Adversary
■ Adaptively Chosen Plaintext Attack
■ Adversary can choose subsequent plaintexts based on ciphertexts he
received for previous plaintexts
■ Adaptively Chosen Ciphertext Attack
■ Adversary can choose subsequent ciphertexts based on plaintexts he
received for previous ciphertexts
■ Related-key attack
■ Adversary can obtain ciphertexts encrypted by two different keys.
■ Keys remain unknown, but relationship between keys is known (e.g. differ in
one bit).
T. Zseby, VU Network Security 10
12. Recap: Symmetric Encryption
T. Zseby, VU Network Security 12
Alice Bob
Eve
Ciphertext c
k k
c=E(k,m) m=D(k,E(k,m))
- Sees ciphertext c
- Knows functions E() and D()
- May have additional information
(e.g. language, purpose of
conversation)
13. Stream Ciphers
■ Basic Idea: similar to One Time Pad
■ Generate a keystream
■ One key bit for each plaintext bit
■ Combine plaintext bits with key bits
T. Zseby, VU Network Security 13
! = ! ! !!! ! = ! ! !!!
Alice Bob
k = 011000001010….
k = 011000001010….
m = 111100001011….
è m = 111100001011….
c = 100100000001 …
14. Stream Ciphers
■ Problem: random keystream
■ How to generate random key
■ How exchange key with communication partner?
■ Approach
■ Generate a pseudorandom key
■ Use a smaller truly random key as seed
■ Pseudorandom is not a truly random key
è no perfect secrecy
T. Zseby, VU Network Security 14
15. Random Numbers for Cryptography
■ Needed for
■ Seed to generate symmetric keys
■ Input for asymmetric cryptography
■ Security protocols
■ Special requirements
■ Statistically random
■ Unpredictable è unbiased and uncorrelated
■ Natural sources of randomness
■ Radioactive decay
■ Coin toss
■ Noise diode
T. Zseby, VU Network Security 15
16. Pseudo Random Generator (PRG)
■ Deterministic Function that expands a short truly random sequence s
(seed) to longer pseudo-random sequence G(s)
T. Zseby, VU Network Security 16
!: 0,1 ! → 0,1 !!with!!!!! ≪ !!!
s G(s)
Possible sequences for R
(real random sequence of length n)
Possible sequences for s
17. Pseudo Random Generator (PRG)
T. Zseby, VU Network Security 17
Possible sequences for R
(real random sequence of length n)
Possible sequences for G(s)
(generated from seed s)
18. Pseudo Random Generator Security
■ PRG considered secure if G(s) indistinguishable from random
sequence R
■ Statistical test A
■ checks if sequence looks random
■ Test passed if A(sequence)=1
è if test passed sequence is considered random
T. Zseby, VU Network Security 18
19. PRG Security: Advantage
■ Real random Sequence R
■ If A(R) = 1 è Test recognizes real rand. seq as random è test
suitable to detect randomness
■ Probability that test detects randomness correctly P(A(R)=1)
■ Pseudo random sequence G(s)
■ If A(G(s)) = 1 è Test recognizes pseudo rand. sequence as random
è good pseudo random generator
■ Advantage (for an attacker)
■ Suitability of test for detecting randomness
■ Quality of pseudo random sequence
T. Zseby, VU Network Security 19
!"# !, ! ! = ! ! ! ! = 1 − ! ! ! = 1 ! !!
20. Advantage
■ Shows if test performs different on pseudo-random sequence G(s) or
real random sequence R
■ Compares probabilities
■ Prob. that test passed for G(s) vs.
■ Prob. that test passed for R
■ High difference è high advantage è G(s) detectable different from
random è weak PRG
■ Small difference è low advantage ègood PRG
T. Zseby, VU Network Security 20
!"# !, ! ! = ! ! ! ! = 1 − ! ! ! = 1 ! !!
21. Advantage Examples
T. Zseby, VU Network Security 21
!"# !, ! ! = ! ! ! ! = 1 − ! ! ! = 1 ! !!
! ! ! ! = 1 = 0.1!!
! ! ! = 1 = 0.9!! è Test suitable to discover randomness
è But does not consider G(s) as random
!"# !, ! ! = 0.1 − 0.9! = 0.8!!
è Weak PRG
22. Stream Cipher Example: A5/1 Keystream Generator
■ Purpose: encryption of data in GSM networks
■ Voice calls, text messages
■ Developed 1987
■ Based on shift registers
■ Designed for hardware implementation
■ Generation of pseudo random key (G(s))
■ 3 Linear Feedback Shift Register (LFSR)
■ X: 19 bits, Y: 22 bits, Z: 23 bits
■ Clocked with a majority rule maj(x8,y10,z10)
■ Seed (64 bits) filled into register
■ Initialization procedures with seed and 22-bit number
T. Zseby, VU Network Security 22
23. A5/1 Keystream Generator
T. Zseby, VU Network Security 23
Source: wikipedia
Clocking bit:
If x8=maj(x8,y10,z10) è register X steps
If y10=maj(x8,y10,z10) è register Y steps
If z10=maj(x8,y10,z10) è register Z steps
24. A5/1 Security
■ Keysize too small (64-bit)
■ “Security by Obscurity” è Violation of Kerckhoffs’s Principles
■ Algorithm was kept secret è re-engineered è problems found
■ Some flaws in structure of registers*
■ With first 2 min of conversation è 1 sec to crack key
■ With arbitrary 2 sec of conversation è several min
■ A5/2
■ Weaker version
■ A5/3
■ KASUMI Block Cipher
■ 128 bit, used in 3G
■ related key attack possible**
T. Zseby, VU Network Security 24
* Source: Biryukov et al. Real Time Cryptanalysis of A5/1 on a PC. 7th International Workshop on Fast Software Encryption, 2000
** Dunkelman, Keller, Shamir, A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony, 2010
25. Example Stream Cipher: RC4
■ Developed by Ronald Rivest (Ron's Code 4)
■ Each step of PRG generates one byte of keystream
■ Designed for software implementation
■ Initially kept secret (later published as Alleged RC4 )
■ Self-modifying lookup table
■ Permutation of 256 byte values
■ Table changes every time a keystream byte is created
■ Random seed initializes lookup table
■ Used in
■ WEP, WPA (not WPA2)
■ initially in TLS/SSL (now other ciphers supported)
T. Zseby, VU Network Security 25
26. RC4
■ Byte array S
■ Permutation of all possible bytes è 256 entries
■ Byte array K for initial key
■ 2 index pointer i, j
■ Seed (master key)
■ 1 ≤ keylength ≤ 256 (typically 40 – 128 bits)
■ Filled in K
T. Zseby, VU Network Security 26
i 0 1 2 3 4 5 …
S[i] S[0] S[1] S[2] S[3] …
K[i] K[0] K[1] K[2] K[3] …
Bytearray K
Bytearray S
i j
27. RC4 Initializtion
T. Zseby, VU Network Security 27
for i=0 to 255
S[i]=i
K[i]=key(i mod N)
next i
Set array to identity permutation
Fill K with seed, repeat seed if seed <256
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
K[i] k0 k1 k2 k3 k4 k5 …
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256 Calculate index j using S and key bytes
swap(S[i],S[j]) Swap Bytes
next i
i=j=0 Initialize indices
Source: M. Stamp, Information Security: Principles and Practice, 2011
i 0 1 2 3 4 5 …
S[i] S[0] S[1] S[2] S[3] S[4] S[5] …
i j
swap
28. RC4 Operation
Generate one byte keystream for each byte of plaintext
Generation Algorithm (after initialization):
i=i+1 mod 256 Increase index i
j=(j+S[i]) mod 256 Calculate index j
swap(S[i],S[j]) Swap Bytes
t=(S[i]+S[j]) mod 256 Calculate index t
output S[t] Output byte for keystream
T. Zseby, VU Network Security 28
Source: M. Stamp, Information Security: Principles and Practice, 2011
29. RC4
T. Zseby, VU Network Security 29
Source: wikipedia
1. Calculate Index t=S[i]+S[j]
S[t]
2. Output Byte
For keystream
30. IEEE 802.11b Wired Equivalent Privacy (WEP)
■ Encryption of wireless communication
■ Uses RC4 stream cipher
■ Long term key (real random seed):
■ 40 bit key or 104 bit key
■ 24 bit initialization vector (IV)
■ Changed for subsequent messages
■ Prepended to key to prevent repetitions
■ Transmitted in plaintext to inform communication partner (and allow
decryption)
T. Zseby, VU Network Security 30
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
K[i] IV1 IV2 IV3 k0 k1 k2 …
31. WEP
T. Zseby, VU Network Security 31
Source: wikipedia
Initialization Vector (IV) transmitted as plain text
32. Fluhrer-Mantin-Shamir Attack on WEP
■ Situation for adversary
■ IV known (submitted in plaintext)
■ Key unknown
■ Prerequisite
■ Adversary knows many ciphertext messages (e.g., from eavesdropping)
■ Adversary knows (or can guess) first byte of plaintext
■ e.g. from standard message formats
è known-plaintext attack
■ Goal: Discover the secret key (seed)
T. Zseby, VU Network Security 32
Source: M. Stamp, Information Security: Principles and Practice, 2011
33. Fluhrer-Mantin-Shamir Attack on WEP
T. Zseby, VU Network Security 33
!" = 3,255, ! !
Assume Initialization Vector (IV) with the following 3 bytes:
- V is arbitrary value
- Whole IV (including V) is known to attacker
- Observing traffic è just wait until IV of above
form occurs
34. WEP Initialization
T. Zseby, VU Network Security 34
2. Build K[i] (input to RC4 algorithm) from IV and key (seed):
for i=0 to 255
S[i]=i
next i
1. Fill S[i] with identitiy permutation:
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
i 0 1 2 3 4 5 …
K[i] 3 255 V k0 k1 k2 …
35. WEP Initialization
T. Zseby, VU Network Security 35
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
3. Calculate j
i=0
j=(0+S[0]+K[0]) mod 256 = 3
4. Swap(S[i],S[j]) (with i=0, j=3):
0 3
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
K[i] 3 255 V k0 k1 k2 …
i 0 1 2 3 4 5 …
S[i] 3 1 2 0 4 5 …
K[i] 3 255 V k0 k1 k2 …
36. WEP Initialization
T. Zseby, VU Network Security 36
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
5. Calculate new j
i=1
j=(j+S[1]+K[1]) mod 256
=(3+1+255) mod 256=3
6. Swap(S[i],S[j]) (with i=1, j=3)
i 0 1 2 3 4 5 …
S[i] 3 1 2 0 4 5 …
K[i] 3 255 V k0 k1 k2 …
i 0 1 2 3 4 5 …
S[i] 3 0 2 1 4 5 …
K[i] 3 255 V k0 k1 k2 …
37. WEP Initialization
T. Zseby, VU Network Security 37
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
7. Calculate new j
i=2
j=(3+S[2]+K[2]) mod 256
=(3+2+V) mod 256 = (5+V) mod 256
8. Swap(S[i],S[j]) (with i=2, j=5+V mod 256)
i 0 1 2 3 4 5 … 5+V
S[i] 3 0 2 1 4 5 … 5+V
K[i] 3 255 V k0 k1 k2 … k2+V
i 0 1 2 3 4 5 … 5+V
S[i] 3 0 5+V 1 4 5 … 2
K[i] 3 255 V k0 k1 k2 … k2+V
38. WEP Initialization
T. Zseby, VU Network Security 38
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
9. Calculate new j
i=3
j= (5+V+S[3]+K[3]) mod 256
= (5+V+1+K[3]) mod 256
= (6+V+K[3]) mod 256
10. Swap(S[i],S[j]) (with i=3, j=6+V +K[3] mod256)
i 0 1 2 3 4 5 … 5+V … 6+V+K[3]
S[i] 3 0 5+V 1 4 5 … 2 … 6+V+K[3]
K[i] 3 255 V k0 k1 k2 … k2+V … k6+V+K[3]
i 0 1 2 3 4 5 … 5+V … 6+V+K[3]
S[i] 3 0 5+V 6+V+K[3] 4 5 … 2 … 1
K[i] 3 255 V k0 k1 k2 … k2+V … k6+V+K[3]
39. Array after 4 Rounds Initialization (i=3)
T. Zseby, VU Network Security 39
Assume RC4 stops after i=3 and we start keystream generation (i=0, j=0):
i=i+1 mod 256 è i=1
j=(j+S[i]) mod 256 è j=0+S[1]=0
swap(S[i],S[j]) è swap(S[1],S[0])
t=(S[i]+S[j]) mod 256 è t=S[1]+S[0]=3+0=3
output S[t] è S[t]=S[3]=6+V+K[3]
S[t] is first keystream byte
i 0 1 2 3 4 5 … 5+V … 7+V+K[3]
S[i] 3 0 5+V 6+V+K[3] 4 5 … 2 … 1
i 0 1 2 3 4 5 … 5+V … 7+V+K[3]
S[i] 0 3 5+V 6+V+K[3] 4 5 … 2 … 1
40. RC4: Discovering Parts of the Key
T. Zseby, VU Network Security 40
S[t]=S[3]=6+V+K[3] è S[3] is first keystream byte
Assumption was:
- Adversary knows ciphertext messages
- Adversary knows first byte of plaintext
- Adversary knows V
Encryption of first byte:
! = ! ! !!!
known
known
unknown 1st keystream byte=S[3]
41. RC4: Discovering Parts of the Key
■ deduce S[3] with
■ recover K[3] (first byte of secret key)
T. Zseby, VU Network Security 41
!! 0 = ! 0 ! 3 !!!
!! 3 = ! 0 ! 0 !!!
S[3]=6+V+K[3]
K[3]=S[3]-6-V
i 0 1 2 3 4 5 …
K[i] 3 255 V k0 k1 k2 …
first byte of secret key (seed)
discovered!
! = ! ! !!!
è 1st keystream byte S[3]
42. RC4: Discovering Remaining Parts of the Key
■ If K[3] known
■ look for IVs with IV=(4,255,V)
■ Repeat whole the procedure
■ First byte of keystream S[4]=10+V+K[3]+K[4]
■ Recover K[4] è recover second byte of seed
■ If enough IVs (enough observations) è can recover arbitrary bytes of
secret key (seed)
■ WEP “unsafe at any keysize”
T. Zseby, VU Network Security 42
i 0 1 2 3 4 5 …
K[i] 4 255 V k0 k1 k2 …
S[i] 0 1 2 3 4 5 …
S[i] 4 1 2 3 0 5 …
43. RC4: Discovering Parts of the Key
■ But: RC4 Initialization takes 256 steps
■ If S[0],S[1] or S[3] are changed during initialization èAttack
does no longer work
■ Probability that S[0],S[1] or S[3] is changed?
■ Only possible during swap(S[i],S[j])
■ Index i è no influence (already at i=4)
■ è only swapped if index j=0 or j=1 or j=3
T. Zseby, VU Network Security 43
44. RC4: Discovering Parts of the Key
■ Probability that j=0 or j=1 or j=3?
■ Probability that j=0 (for random j and one step)
■ Probability that j=0 OR j=1 OR j=3:
■ Probability that S[0], S[1], S[3] remain (after one step)
T. Zseby, VU Network Security 44
! (! = 0) ∪ (! = 1) ∪ (! = 2) =
!
!"#
!!
! ! = 0 =
!
!"#
!! same for others
!(#[0], #[1], #[3] +,-./0) = 1 −
!
"#$
=
"#!
"#$
= 0.988
45. RC4: Discovering Parts of the Key
■ Probability that S[0], S[1], S[3] remain after additional 252 initialization
steps:
■ None changed in 5% of the time
■ K[3]=S[3]-6-V in 5% of times
■ With n=60 messages (with same IV)
■ 0.05*n=3 è expected to see K[3] three times
■ Adversary just needs sufficient equal IVs (3,255,V)
■ 24 bit IV è224 different values possible
T. Zseby, VU Network Security 45
! !"!#!!ℎ!"#$% =
!"#
!"#
!"!
≈ 0.05!!
46. Preventing WEP Attack
■ Possibilities to prevent Fluhrer-Mantin-Shamir attack
■ Add 256 additional steps è start keystream generation and discard
first 256 bytes
■ Combine key with IV in other ways
■ But: WEP has further problems
■ Other attacks on RC4 possible
■ 2011: Sepehrdad, et al., “Discovery and Exploitation of New Biases in
RC4,” in Selected Areas in Cryptography, 2011
■ 2013: AlFardan, et al.: On the Security of RC4 in TLS and WPA,
USENIX Security, 2013
■ Heise News: http://www.heise.de/security/meldung/NSA-
entschluesselt-Webserver-Daten-angeblich-in-Echtzeit-2041383.html
T. Zseby, VU Network Security 46
47. Stream Cipher Advantages
■ Fast
■ Simple
■ Keystream for each byte
■ no retransmission of block if transmission errors
■ No padding
■ Easy to implement in hardware
■ Useful for
■ Resource constraint devices
■ High data rates
■ High error rates
T. Zseby, VU Network Security 47
48. Stream Cipher Examples
■ A5/1
■ Optimized for hardware implementation
■ Bitwise generation of keystream
■ Small key (64 bits)
■ Initially violation of Kerckhoffs's principle
■ Efficient attacks known
■ RC4
■ Optimized for software implementation
■ Bytewise generation of keystream
■ Initially violation of Kerckhoffs's principle
■ Today not considered secure
■ Bad implementations, e.g. WEP
■ Alternatives: Rabbit, Salsa20/12, SOSEMANUK
T. Zseby, VU Network Security 48
50. Block Ciphers
■ Basic Idea: similar to codebook
■ Algorithm operates on message blocks of fixed length
■ Usually a product cipher with multiple iterations (rounds) of S-
Box and P-Box operations
■ Key
■ Specifies the transformation
■ Usually split into sub-keys (round keys) to get a different key for
each round
■ Parameters: block size, encryption and decryption algorithms, key
■ Encryption of bulk data
T. Zseby, VU Network Security 50
51. Feistel Cipher
T. Zseby, VU Network Security 51
Source: wikipedia
F - round function
K0, K1,…Kn - round keys
Plaintext split into left (L) and right (R) part
Encryption:
Decryption:
Output Ciphertext:
Output Plaintext:
Input Plaintext:
Input Ciphertext:
52. Data Encryption Standard (DES)
■ 1971 IBM invents Lucifer Cipher
■ Based on Feistel cipher
■ 1973 US NBS (National Bureau of Standards, now NIST) issues
call for a data encryption standard that fulfills their (and NSA)
needs
■ è no suitable candidate
■ 1974 new call
■ IBM submits cipher based on Lucifer
■ Selected as suitable candidate
■ 1976 modified version of Lucifer becomes federal standard DES
T. Zseby, VU Network Security 52
53. DES Structure
■ Block cipher
■ Blocklength: 64 bits
■ Key (seed): 56 bits
■ Subkeys: 48 bits
■ Feistel Structure
■ 16 Rounds
■ Round Function F
T. Zseby, VU Network Security 53
Initial Permutation
Final Permutation
Source: wikipedia
!!!! !!!!
54. DES Round Function
T. Zseby, VU Network Security 54
! !!!!, !! = !_!"#(!_!"#$% !"#$%& !!!! ⊕!!! )! !!
Feistel Cipher with Round Function:
Source: wikipedia
1. Expansion 32è 48 bits
2. XOR with subkey
3. Substitution (S-Boxes)
4. Permutation (P-Box)
55. DES Security
■ Today:
■ Not considered secure è key too small (56 bits)
■ Exhaustive Key search 256=72*1015
■ DES Challenge
■ Launched by RSA Security
■ Goal: Demonstrate that 56 bit key not sufficient
■ Given: some plaintext with matching ciphertext (known-plaintext
attack)
■ Task: find key
■ Using exhaustive key search
T. Zseby, VU Network Security 55
56. DES Security
■ 1997 DESHALL è 140 days
■ Distributed computing over Internet
■ Clients connected to key server and got tasks
■ Nearly 80.000 participants (according to DESCHALL)
■ 1998 Deep Crack è 56 hours
■ Electronic Frontier Foundation (EFF)
■ 1536 specialized crypto chips
■ 88 billion keys/sec
■ Costs: 250.000 USD
■ 1999 Joint effort è 22 hours
■ Deep Crack together with distributed computing
T. Zseby, VU Network Security 56
57. DES Security
■ 2006 COPACOBANA è 6.4. days (average)
■ Cost-Optimized Parallel Code Breaker
■ Ruhr-University Bochum and University Kiel
■ Machine with 120 FPGAs
■ Optimized for cryptanalysis
■ Can test 65 billion keys per second
■ Costs: 10.000 USD
T. Zseby, VU Network Security 57
58. Triple DES (TDES, 3DES)
■ Double DES
■ Repeat encryption
■ Keylength 2x56=112 bits
■ But chosen-plaintext attack exists
■ Triple DES
■ Encrypt-decrypt-encrypt
T. Zseby, VU Network Security 58
! = #(#(%, '(), '*)
! = ! ! ! !, !! , !! , !! !!
59. 3DES
■ Why not: ?
■ è Backwards compatibility
■ If kA=kB =kCè single DES
T. Zseby, VU Network Security 59
! = ! ! ! !, !! , !! , !! !!
! = ! ! ! !, !! , !! , !! = ! !, !! !!
60. DES Successor
■ 1997 NIST calls for new cipher standard: Advanced Encryption
Standard (AES)
■ Requirements
■ Symmetric block cipher
■ Block size: 128 Bit
■ Support key lengths of 128, 192 and 256 bits
■ Easy to implement in hardware and software
■ Very good performance
■ Secure against all known attacks
■ Resource efficient (use in smart cards
■ Free available (no license fees)
■ è 15 submissions
T. Zseby, VU Network Security 60
61. Advanced Encryption Standard (AES)
■ Rijndael Algortihm
■ Successor of DES/3DES
■ 2000 announced as standard
■ Block lengths: 128 bits
■ generic Rijndahl allows also others
■ Rounds: 10-14 (depending on key length)
■ Key lengths: 128, 192 or 256 bits
T. Zseby, VU Network Security 61
62. AES is a Substitution-Permutation Network
T. Zseby, VU Network Security 62
Source: wikipedia
Substitution Layer
Permutation Layer
Key Addition Layer
63. AES Operation
■ SubBytes
■ substitute bytes in message
■ ShiftRows
■ shift bytes within a row of the block
■ MixColumns
■ multiply columns with matrix
■ except in final round
■ AddRoundKey
■ XOR column with part of round key
■ Exact description of all functions in NIST AES Standard
■ Kerckhoffs's Principle
T. Zseby, VU Network Security 63
64. AES
■ AES used in
■ WPA2 IEEE 802.11i encryption (Wi-Fi Protected
Access 2)
■ SSH
■ IPsec
■ Skype
■ And many more…
T. Zseby, VU Network Security 64
65. Block Ciphers vs. Stream Ciphers
■ Stream
■ RC4 è126 MB/sec
■ Salsa 20/12 è 643 MB/sec
■ Sosemanuk è727 MB/sec
■ Block
■ 3DES (64 bit blocksize, 168 bit key) è13 MB/sec
■ AES-128 (128 bit blocksize, 128 bit key) è 109 MB/sec
è Stream ciphers faster
(exact numbers dependent on hardware and experiments settings)
T. Zseby, VU Network Security 65
Source: Dan Boneh, Cryptography I
66. Block Ciphers vs. Stream Ciphers
■ Stream Ciphers
■ Speed and Simplicity
■ Useful for high data rates, resource constraint environments
■ Block Ciphers
■ Good for encryption of bulk data
■ Better security
■ Slower
■ Blocks è may require padding of messages
■ Transmission error è block retransmission
■ Can be used to generate stream cipher
T. Zseby, VU Network Security 66
68. Block Cipher Modes
■ How to split data into blocks?
■ How to preprocess blocks?
■ How to apply encryption scheme?
■ è Different Block Cipher Modes
T. Zseby, VU Network Security 68
69. Electronic Codebook (ECB) Mode
■ Message is split into blocks of equal size
■ If needed padding
■ Each block encrypted independently
Problem?
èequal plaintext generates equal ciphertext
T. Zseby, VU Network Security 69
Source: wikipedia
72. Source: wikipedia
r1 r2 r3
Idea: Randomization
■ XOR random number before encryption
■ Transmit random numbers with CT
■ Advantage: Randomization
■ Disadvantages
■ Need to transmit random number per block
■ Attacker can change decrypted PT by changing r
■ Attacker can swap blocks to change PT
T. Zseby, VU Network Security 72
73. Cipher Block Chaining (CBC)
■ Initialization vector (IV)
■ XOR random IV to first block
■ XOR result to next block etc.
■ è generate own random numbers from IV and PT
■ Randomization without need to transmit random number
T. Zseby, VU Network Security 73
Source: wikipedia
75. CBC
■ Randomization
■ Random IV ensures that CT changes even if PT remains
■ Adversary cannot tell if PT has changed
■ Similar performance to ECB
■ Just add generation and transmission of IV
■ Disadvantages:
■ Dependencies: If one character lost in transmission è whole
message is corrupted
■ If attacker changes cn it has an effect on mn+1 because cn is used
to decrypt cn+1
■ Complete PT block to generate CT
T. Zseby, VU Network Security 75
76. Output Feedback (OFB)
■ PT not needed for randomization
T. Zseby, VU Network Security 76
Source: wikipedia
77. Output Feedback (OFB)
■ Advantage:
■ Can generate keystream without plaintext
■ No padding or waiting until enough bits for block
■ Can use keystream like stream cipher !
T. Zseby, VU Network Security 77
Source: wikipedia
78. Cipher Feedback (CFB)
■ Less vulnerable to tampering (compared to CBC)
■ Can re-synchronize if one block is lost or corrupted
■ Generates keystream but needs message è cannot be generated in advance
T. Zseby, VU Network Security 78
Source: wikipedia
79. Counter Mode (CTR)
■ Realizes a stream cipher
■ No dependence on message è key stream pre-computed
■ Initialization Vector is incremented
■ Nonce remains
■ Counter incremented
T. Zseby, VU Network Security 79
Source: wikipedia
81. Bob
Man in the Middle
Man in the Middle: “A form of active wiretapping attack in which the attacker intercepts and
selectively modifies communicated data to masquerade as one or more of the entities
involved in a communication association.” [RFC4949]
How to protect communication against message modification?
T. Zseby, VU Network Security 81
Message Message*
Malory
Alice
82. Goal: Integrity
“…data has not been changed, destroyed, or lost in an
unauthorized or accidental manner.” [RFC4949]
83. Message Authentication Code (MAC)
T. Zseby, VU Network Security 83
Alice Bob
m,t
t=S(m,k)
Message Authentication Message Verification
- Calculate tag
- Compare tags
- Accept or reject
- Generate a tag t
- Append tag to message as MAC
k k
t’=S(m,k)
If t’=t è accept
84. Using CRC?
■ CRC does not use key è not suitable
T. Zseby, VU Network Security 84
Alice Bob
m,t
t=CRC(m) V(m*,CRC*)
Mallory
m*,CRC*
t*=CRC(m*)
è accept
85. Message Authentication Code (MAC)
■ Adversary does not know secret key k
■ è cannot calculate correct tag for modified message
T. Zseby, VU Network Security 85
Alice Bob
m,t
t=S(m,k)
k k
Mallory
m*,?
t*=S(m*,?)
87. Message Authentication Code (MAC)
■ Using a valid Message Authentication Code
■ With a secret key
Q: Can Bob prove (in a court) that message was sent by Alice?
T. Zseby, VU Network Security 87
k k
Alice Bob
m,t
t=S(m,k) t’=S(m,k)
If t’=t è accept
88. MAC vs. Digital Signatures
■ MAC
■ Verify that message was not altered
■ Generation and Verification of MAC with same secret key (symmetric
cryptography)
è everyone who knows secret key can generate MAC
è Bob can create MAC for message from Alice
■ Digital Signatures
■ Purpose: prove that message was sent by a specific sender (non-
repudiation)
■ Only originator of message should be able to provide correct signature
è Possible with asymmetric cryptography
T. Zseby, VU Network Security 88
89. MAC Generation (Possibility 1)
■ Cipher-Based Message Authentication Code (CMAC)
■ Based on block cipher (3DES, AES)
■ Advantage:
■ Same operation for encryption and message authentication
■ Example: Cipher Block Chaining (CBC) MAC
■ Use last block of CBC operation (CBC residue) as MAC
■ Depends on message and key
T. Zseby, VU Network Security 89
90. CBC MAC
■ Calculated based on message and key
T. Zseby, VU Network Security 90
Source: wikipedia
91. CBC MAC Options
■ How to use last block?
■ Idea 1: just resend last block (raw CBC)
■ Could be done by anyone
■ Not a good option è not secure
■ Idea 2: calculate CBC residue
■ Attach to plaintext
■ Encrypt both
T. Zseby, VU Network Security 91
92. CBC-MAC Option?
■ Any Problem with this?
■ è c7 is encryption of block with all zeros
■ è known plaintext situation (adv. knows CT for message=000...)
T. Zseby, VU Network Security 92
Source: Kaufman, Perlman, Speciner: Network Security: Private Communication in a Public World, Prentice Hall; 2 edition, 2002
CBC residue
!!⨁!! = 0!!!
Plaintext message
0000..
93. CBC MAC Options
■ Solution:
■ Use different keys for encryption and MAC
■ Calculate encrypted message with encryption key
■ Calculate CBC residue with message authentication key
T. Zseby, VU Network Security 93
94. MAC Generation (Possibility 2)
■ Keyed-Hash Message Authentication Code (HMAC)
■ Based on cryptographic hash functions
■ Generate MAC from:
■ Cryptographic hash function (e.g. MD5, SHA-2) and
■ Secret key (è keyed hash)
T. Zseby, VU Network Security 94
96. Cryptographic Hash Functions
■ Compression
■ len(h(x)) < len(x)
■ h(x) usually fixed size
■ Efficiency
■ Easy to compute h(x) for any x
■ One-way
■ No feasible way to invert hash, i.e. find x for a given y=h(x)
■ Weak collision resistance
■ Given x and h(x) infeasible to find any y such that h(y)=h(x)
■ Not feasible to modify message without changing the hash
■ Strong collision resistance
■ Infeasible to find any x and y s.t. h(y)=h(x)
■ Cannot find any two inputs that hash to the same output
T. Zseby, VU Network Security 96
Source: M. Stamp, Information Security: Principles and Practice, 2011
x è h(x)
97. HMAC Construction
T. Zseby, VU Network Security 97
! ! ⊕ !"#$ |! ! ⊕ !"#$ |! !
inner padding (constant)
outer padding (constant)
Source: NIST FIPS PUB 198-1
if keysize < blocksize è append 0s
If keysize > blocksize è H(key) and append 0s
apply hash function
concatenate
apply hash function
concatenate
Determine K0
Steps 1-3:
K0 † ipad
H((K0 † ipad) || text)
K0 † opad
Step 4:
Step 5:
Step 7:
Step 8:
Step 9:
Step 6:
H((K0 † opad) || H((K0 † ipad) || text))
Figure 1: Illustration of the HMAC Construction
(K0 † opad) || H ((K0 † ipad) || text)
(K0 † ipad) || text
98. HMAC Construction
T. Zseby, VU Network Security 98
Source: By Gdrooid - Own work, CC0,
https://commons.wikimedia.org/w/index.php?curid=34446189
99. Message-Digest Algorithm 5 (MD5)
■ Cryptographic hash function, 1991
■ RFC1321, RFC 6151 (Updated Security Consideration)
■ Generates 128 bit hash value
■ Merkle-Damgård Construction with 4 rounds
■ Used to check files
■ MD5 value provided together with file
■ After download generate MD5 from file
■ Compare with provided MD5 value
■ Security
■ Some methods published to find collisions
■ Today not considered secure
T. Zseby, VU Network Security 99
100. Secure Hash Algorithm (SHA)
■ SHA-1 (1995)
■ Merkle-Damgård Construction with 80 rounds
■ 160 bit hash value
■ 2005: method to find collisions
■ SHA-2 (2001):
■ Set of cryptographic hash functions
■ Merkle-Damgård Construction with 64 or 80 rounds
■ Different hash sizes: SHA-224, SHA-256, SHA-384, SHA-512
■ SHA-3 (2012)
■ Completely new algorithm
■ Arbitrary hash sizes
T. Zseby, VU Network Security 100
101. Authenticated Encryption
■ Provide both: Confidentiality and Message Integrity
■ Encryption è Confidentiality
■ Message Authentication è Message Integrity
■ Which operation first?
T. Zseby, VU Network Security 101
102. Authenticated Encryption Options
■ Encrypt-and–MAC
■ Encrypt message
■ Calculate MAC from (PT) message
■ è no integrity of CT, MAC may reveal PT info
■ MAC-then-encrypt
■ Calculate MAC and append to message
■ Encrypt message (with appended MAC)
■ è no integrity of CT
■ Encrypt-then-MAC
■ Encrypt message
■ MAC over encrypted message è integrity of CT
■ è best option, standard method
T. Zseby, VU Network Security 102
103. Message Authentication Codes Summary
■ Ensures integrity of the data
■ Data was not changed on the path
■ But does not ensure non-repudiation
■ Everyone who knows symmetric key can generate valid MAC
■ è difference to digital signature
■ MAC generation
■ Cryptographic hash function AND secret key
■ HMAC Standard
■ Authenticated Encryption
■ Message encryption and authentication
■ è Encrypt then MAC
T. Zseby, VU Network Security 103