Network Security Network Security Essentials Essentials Chapter 2 - - PowerPoint PPT Presentation

Network Security Network Security Essentials Essentials Chapter 2 Chapter 2

Fourth Edition Fourth Edition by William Stallings by William Stallings Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown

Encryption Encryption

• What

What is is encryption? Why do we need it? encryption? Why do we need it?

 No, seriously, let's discuss this. Why do we

No, seriously, let's discuss this. Why do we need it? need it?

Symmetric Encryption Symmetric Encryption

• or conventional /
• r conventional / private-key

private-key / single-key / single-key

• sender and recipient share a common key

sender and recipient share a common key

• all classical encryption algorithms are

all classical encryption algorithms are private-key private-key

• was only type prior to invention of public-

was only type prior to invention of public- key in 1970’s key in 1970’s

• and by far most widely used

and by far most widely used

Some Basic Terminology Some Basic Terminology

• plaintext

plaintext - original message

• original message
• ciphertext

ciphertext - coded message

• coded message
• cipher

cipher - algorithm for transforming plaintext to ciphertext

• algorithm for transforming plaintext to ciphertext
• key

key - info used in cipher known only to sender/receiver

• info used in cipher known only to sender/receiver
• encipher (encrypt)

encipher (encrypt) - converting plaintext to ciphertext

• converting plaintext to ciphertext
• decipher (decrypt)

decipher (decrypt) - recovering ciphertext from plaintext

• recovering ciphertext from plaintext
• cryptography

cryptography - study of encryption principles/methods

• study of encryption principles/methods
• cryptanalysis (codebreaking)

cryptanalysis (codebreaking) - study of principles/

• study of principles/

methods of deciphering ciphertext methods of deciphering ciphertext without without knowing key knowing key

• cryptology

cryptology - field of both cryptography and cryptanalysis

• field of both cryptography and cryptanalysis

Some Basic Terminology Some Basic Terminology

• cleartext

cleartext - is this the same as plaintext?

• is this the same as plaintext?
• Also, do all ciphers need a key?

Also, do all ciphers need a key? – Is a password the same as a key? Is a password the same as a key? – Are there ciphers that use neither? Are there ciphers that use neither?

Symmetric Cipher Model Symmetric Cipher Model

Requirements Requirements

• two requirements for secure use of

two requirements for secure use of symmetric encryption: symmetric encryption:

 a strong encryption algorithm

a strong encryption algorithm

 a secret key known only to sender / receiver

a secret key known only to sender / receiver

• mathematically have:

mathematically have:

Y Y = E(K, = E(K, X X) ) X X = D(K, = D(K, Y Y) )

• assume encryption algorithm is known

assume encryption algorithm is known

• implies a secure channel to distribute

implies a secure channel to distribute key key

Cryptography Cryptography

• can characterize cryptographic system by:

can characterize cryptographic system by:

 type of encryption operations used

type of encryption operations used

• substitution

substitution

• transposition

transposition

• product

product

 number of keys used

number of keys used

• single-key or private

single-key or private

• two-key or public

two-key or public

 way in which plaintext is processed

way in which plaintext is processed

• block

block

• stream

stream

Cryptanalysis Cryptanalysis

• objective to recover key not just message
• bjective to recover key not just message
• general approaches:

general approaches:

 cryptanalytic attack

cryptanalytic attack

 brute-force attack

brute-force attack

• if either succeed all key use compromised

if either succeed all key use compromised

 Hence the value of

Hence the value of perfect forward secrecy perfect forward secrecy

Cryptanalytic Attacks Cryptanalytic Attacks

• ciphertext only

ciphertext only

 only know algorithm & ciphertext, is statistical,

• nly know algorithm & ciphertext, is statistical,

know or can identify plaintext know or can identify plaintext

• known plaintext

known plaintext

 know/suspect plaintext & ciphertext

know/suspect plaintext & ciphertext

• chosen plaintext

chosen plaintext

 select plaintext and obtain ciphertext

select plaintext and obtain ciphertext

• chosen ciphertext

chosen ciphertext

 select ciphertext and obtain plaintext

select ciphertext and obtain plaintext

• chosen text

chosen text

 select plaintext or ciphertext to en/decrypt

select plaintext or ciphertext to en/decrypt

Brute Force Search Brute Force Search

• always possible to simply try every key

always possible to simply try every key

• most basic attack, proportional to key size

most basic attack, proportional to key size

• assume either know / recognize plaintext

assume either know / recognize plaintext

Key Size (bits) Number of Alternative Keys Time required at 1 decryption/µs Time required at 106 decryptions/µs 32 232 = 4.3  109 231 µs = 35.8 minutes 2.15 milliseconds 56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours 128 2128 = 3.4  1038 2127 µs = 5.4  1024 years 5.4  1018 years 168 2168 = 3.7  1050 2167 µs = 5.9  1036 years 5.9  1030 years 26 characters (permutation) 26! = 4  1026 2  1026 µs = 6.4  1012 years 6.4  106 years

Feistel Cipher Structure Feistel Cipher Structure

• Horst Feistel devised the

Horst Feistel devised the feistel cipher feistel cipher

 based on concept of invertible product cipher

based on concept of invertible product cipher

• partitions input block into two halves

partitions input block into two halves

 process through multiple rounds which

process through multiple rounds which

 perform a substitution on left data half

perform a substitution on left data half

 based on round function of right half & subkey

based on round function of right half & subkey

 then have permutation swapping halves

then have permutation swapping halves

• implements Shannon’s S-P net concept

implements Shannon’s S-P net concept

Feistel Cipher Structure Feistel Cipher Structure

Feistel Cipher Design Elements Feistel Cipher Design Elements

• block size

block size

• key size

key size

• number of rounds

number of rounds

• subkey generation algorithm

subkey generation algorithm

• round function

round function

• fast software en/decryption

fast software en/decryption

• ease of analysis

ease of analysis

Data Encryption Standard (DES) Data Encryption Standard (DES)

• most widely used block cipher in world

most widely used block cipher in world

• adopted in 1977 by NBS (now NIST)

adopted in 1977 by NBS (now NIST)

 as FIPS PUB 46

as FIPS PUB 46

• encrypts 64-bit data using 56-bit key

encrypts 64-bit data using 56-bit key

• has widespread use

has widespread use

• has been considerable controversy over

has been considerable controversy over its security its security

DES History DES History

• IBM developed Lucifer cipher

IBM developed Lucifer cipher

 by team led by Feistel in late 60’s

by team led by Feistel in late 60’s

 used 64-bit data blocks with 128-bit key

used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher

then redeveloped as a commercial cipher with input from NSA and others with input from NSA and others

• in 1973 NBS issued request for proposals

in 1973 NBS issued request for proposals for a national cipher standard for a national cipher standard

• IBM submitted their revised Lucifer which

IBM submitted their revised Lucifer which was eventually accepted as the DES was eventually accepted as the DES

DES Design Controversy DES Design Controversy

• although DES standard is public

although DES standard is public

• was considerable controversy over design

was considerable controversy over design

 in choice of 56-bit key (vs Lucifer 128-bit)

in choice of 56-bit key (vs Lucifer 128-bit)

 and because design criteria were classified

and because design criteria were classified

• subsequent events and public analysis

subsequent events and public analysis show in fact design was appropriate show in fact design was appropriate

• use of DES has flourished

use of DES has flourished

 especially in financial applications

especially in financial applications

 still standardised for legacy application use

still standardised for legacy application use

Multiple Encryption & DES Multiple Encryption & DES

• clear a replacement for DES was needed

clear a replacement for DES was needed

 theoretical attacks that can break it

theoretical attacks that can break it

 demonstrated exhaustive key search attacks

demonstrated exhaustive key search attacks

• AES is a new cipher alternative

AES is a new cipher alternative

• prior to this alternative was to use multiple

prior to this alternative was to use multiple encryption with DES implementations encryption with DES implementations

• Triple-DES is the chosen form

Triple-DES is the chosen form

Double-DES? Double-DES?

• could use 2 DES encrypts on each block

could use 2 DES encrypts on each block

 C = E

C = EK2

K2(E

(EK1

K1(P))

(P))

• issue of reduction to single stage

issue of reduction to single stage

• and have “meet-in-the-middle” attack

and have “meet-in-the-middle” attack

 works whenever use a cipher twice

works whenever use a cipher twice

 since

since X = E X = EK1

K1(P) = D

(P) = DK2

K2(C)

(C)

 attack by encrypting P with all keys and store

attack by encrypting P with all keys and store

 then decrypt C with keys and match X value

then decrypt C with keys and match X value

 can show takes

can show takes O(2 O(256

56)

) steps steps

Triple-DES with Two-Keys Triple-DES with Two-Keys

• hence must use 3 encryptions

hence must use 3 encryptions

 would seem to need 3 distinct keys

would seem to need 3 distinct keys

• but can use 2 keys with E-D-E sequence

but can use 2 keys with E-D-E sequence

 C = E

C = EK1

K1(D

(DK2

K2(E

(EK1

K1(P)))

(P)))

 nb encrypt & decrypt equivalent in security

nb encrypt & decrypt equivalent in security

 if

if K1=K2 K1=K2 then can work with single DES then can work with single DES

• standardized in ANSI X9.17 & ISO8732

standardized in ANSI X9.17 & ISO8732

• no current known practical attacks

no current known practical attacks

 several proposed impractical attacks might

several proposed impractical attacks might become basis of future attacks become basis of future attacks

Triple-DES with Three-Keys Triple-DES with Three-Keys

• although are no practical attacks on two-

although are no practical attacks on two- key Triple-DES have some indications key Triple-DES have some indications

• can use Triple-DES with Three-Keys to

can use Triple-DES with Three-Keys to avoid even these avoid even these

 C = E

C = EK3

K3(D

(DK2

K2(E

(EK1

K1(P)))

(P)))

• has been adopted by some Internet

has been adopted by some Internet applications, eg PGP, S/MIME applications, eg PGP, S/MIME

Triple-DES with... one key? Triple-DES with... one key?

• Is that a

Is that a keying option keying option? ?

Origins Origins

• clear a replacement for DES was needed

clear a replacement for DES was needed

 have theoretical attacks that can break it

have theoretical attacks that can break it

 have demonstrated exhaustive key search attacks

have demonstrated exhaustive key search attacks

• can use Triple-DES – but slow, has small blocks

can use Triple-DES – but slow, has small blocks

• US NIST issued call for ciphers in 1997

US NIST issued call for ciphers in 1997

• 15 candidates accepted in Jun 98

15 candidates accepted in Jun 98

• 5 were shortlisted in Aug-99

5 were shortlisted in Aug-99

• Rijndael was selected as the AES in Oct-2000

Rijndael was selected as the AES in Oct-2000

• issued as FIPS PUB 197 standard in Nov-2001

issued as FIPS PUB 197 standard in Nov-2001

The AES Cipher - Rijndael The AES Cipher - Rijndael

• designed by Rijmen-Daemen in Belgium

designed by Rijmen-Daemen in Belgium

• has 128/192/256 bit keys, 128 bit data

has 128/192/256 bit keys, 128 bit data

• an

an iterative iterative rather than rather than feistel feistel cipher cipher

 processes

processes data as block of 4 columns of 4 bytes data as block of 4 columns of 4 bytes

 operates on entire data block in every round

• perates on entire data block in every round
• designed to be:

designed to be:

 resistant against known attacks

resistant against known attacks

 speed and code compactness on many CPUs

speed and code compactness on many CPUs

 design simplicity

design simplicity

AES AES Encryption Encryption Process Process

AES Structure AES Structure

• data block of

data block of 4 columns of 4 bytes is state 4 columns of 4 bytes is state

• key is expanded to array of words

key is expanded to array of words

• has 9/11/13 rounds in which state undergoes:

has 9/11/13 rounds in which state undergoes:

 byte substitution (1 S-box used on every byte)

byte substitution (1 S-box used on every byte)

 shift rows (permute bytes between groups/columns)

shift rows (permute bytes between groups/columns)

 mix columns (subs using matrix multiply of groups)

mix columns (subs using matrix multiply of groups)

 add round key (XOR state with key material)

add round key (XOR state with key material)

 view as alternating XOR key & scramble data bytes

view as alternating XOR key & scramble data bytes

• initial XOR key material & incomplete last round

initial XOR key material & incomplete last round

• with fast XOR & table lookup implementation

with fast XOR & table lookup implementation

AES Structure AES Structure

AES Round AES Round

Random Numbers Random Numbers

• many uses of

many uses of random numbers random numbers in cryptography in cryptography

 nonces in authentication protocols to prevent replay

nonces in authentication protocols to prevent replay

 session keys

session keys

 public key generation

public key generation

 keystream for a one-time pad

keystream for a one-time pad

• in all cases its critical that these values be

in all cases its critical that these values be

 statistically random, uniform distribution, independent

statistically random, uniform distribution, independent

 unpredictability of future values from

unpredictability of future values from previous values previous values

• true random numbers provide this

true random numbers provide this

• care needed with generated random numbers

care needed with generated random numbers

Pseudorandom Number Pseudorandom Number Generators (PRNGs) Generators (PRNGs)

• often use deterministic algorithmic
• ften use deterministic algorithmic

techniques to create “random numbers” techniques to create “random numbers”

 although are not truly random

although are not truly random

 can pass many tests of “randomness”

can pass many tests of “randomness”

• known as “pseudorandom numbers”

known as “pseudorandom numbers”

• created by “

created by “Pseudorandom Number

Pseudorandom Number Generators (PRNGs)” Generators (PRNGs)”

Random & Pseudorandom Random & Pseudorandom Number Generators Number Generators

Stream Cipher Structure Stream Cipher Structure

Stream Cipher Properties Stream Cipher Properties

• some design considerations are:

some design considerations are:

 long period with no repetitions

long period with no repetitions

 statistically random

statistically random

 depends on large enough key

depends on large enough key

 large linear complexity

large linear complexity

• properly designed, can be as secure as a

properly designed, can be as secure as a block cipher with same size key block cipher with same size key

• but usually simpler & faster

but usually simpler & faster

RC4 RC4

• a proprietary cipher owned by RSA DSI

a proprietary cipher owned by RSA DSI

• another Ron Rivest design, simple but effective

another Ron Rivest design, simple but effective

• variable key size, byte-oriented stream cipher

variable key size, byte-oriented stream cipher

• widely used (web SSL/TLS, wireless WEP/WPA)

widely used (web SSL/TLS, wireless WEP/WPA)

• key forms random permutation of all 8-bit values

key forms random permutation of all 8-bit values

• uses that permutation to scramble input info

uses that permutation to scramble input info processed a byte at a time processed a byte at a time

RC4 Key Schedule RC4 Key Schedule

• starts with an array S of numbers: 0..255

starts with an array S of numbers: 0..255

• use key to well and truly shuffle

use key to well and truly shuffle

• S forms

S forms internal state internal state of the cipher

• f the cipher

for i = 0 to 255 do for i = 0 to 255 do S[i] = i S[i] = i T[i] = K[i mod keylen]) T[i] = K[i mod keylen]) j = 0 j = 0 for i = 0 to 255 do for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j]) swap (S[i], S[j])

RC4 Encryption RC4 Encryption

• encryption continues shuffling array values

encryption continues shuffling array values

• sum of shuffled pair selects "stream key"

sum of shuffled pair selects "stream key" value from permutation value from permutation

• XOR S[t] with next byte of message to

XOR S[t] with next byte of message to en/decrypt en/decrypt

i = j = 0 i = j = 0 for each message byte M for each message byte Mi

i

i = (i + 1) (mod 256) i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) swap(S[i], S[j]) t = (S[i] + S[j]) (mod 256) t = (S[i] + S[j]) (mod 256) C Ci

i = M

= Mi

i XOR S[t]

XOR S[t]

RC4 Overview RC4 Overview

RC4 Security RC4 Security

• claimed secure against known attacks

claimed secure against known attacks

 have some analyses, none practical

have some analyses, none practical

• result is very non-linear

result is very non-linear

• since RC4 is a stream cipher, must

since RC4 is a stream cipher, must never never reuse a key reuse a key

• have a concern with WEP, but due to key

have a concern with WEP, but due to key handling rather than RC4 itself handling rather than RC4 itself

Modes of Operation Modes of Operation

• block ciphers encrypt fixed size blocks

block ciphers encrypt fixed size blocks

 eg. DES encrypts 64-bit blocks with 56-bit key

• eg. DES encrypts 64-bit blocks with 56-bit key
• need some way to en/decrypt arbitrary

need some way to en/decrypt arbitrary amounts of data in practise amounts of data in practise

• NIST SP 800-38A

NIST SP 800-38A defines 5 modes defines 5 modes

• have

have block block and and stream stream modes modes

• to cover a wide variety of applications

to cover a wide variety of applications

• can be used with any block cipher

can be used with any block cipher

Electronic Codebook Book (ECB) Electronic Codebook Book (ECB)

• message is broken into independent

message is broken into independent blocks which are encrypted blocks which are encrypted

• each block is a value which is substituted,

each block is a value which is substituted, like a codebook, hence name like a codebook, hence name

• each block is encoded independently of

each block is encoded independently of the other blocks the other blocks

C Ci

i = E

= EK

K(P

(Pi

i)

)

• uses: secure transmission of single values

uses: secure transmission of single values

Advantages and Limitations of Advantages and Limitations of ECB ECB

• message repetitions may show in ciphertext

message repetitions may show in ciphertext

 if aligned with message block

if aligned with message block

 particularly with data such graphics

particularly with data such graphics

 or with messages that change very little, which

• r with messages that change very little, which

become a code-book analysis problem become a code-book analysis problem

• weakness is due to the encrypted message

weakness is due to the encrypted message blocks being independent blocks being independent

• main use is sending a few blocks of data

main use is sending a few blocks of data

Advantages and Limitations of Advantages and Limitations of ECB ECB

• Finally! Time for our first real example!

Finally! Time for our first real example!

Cipher Block Chaining (CBC) Cipher Block Chaining (CBC)

• message is broken into blocks

message is broken into blocks

• linked together in encryption operation

linked together in encryption operation

• each previous cipher blocks is chained

each previous cipher blocks is chained with current plaintext block, hence name with current plaintext block, hence name

• use Initial Vector (IV) to start process

use Initial Vector (IV) to start process

C Ci

i = E

= EK

K(P

(Pi

i XOR C

XOR Ci-1

i-1)

) C C-1

• 1 = IV

= IV

• uses: bulk data encryption, authentication

uses: bulk data encryption, authentication

Cipher Block Chaining (CBC) Cipher Block Chaining (CBC)

• Let's revisit our example!

Let's revisit our example!

Cipher Cipher Block Block Chaining Chaining (CBC) (CBC)

Cipher FeedBack (CFB) Cipher FeedBack (CFB)

• message is treated as a stream of bits

message is treated as a stream of bits

• added to the output of the block cipher

added to the output of the block cipher

• result is feed back for next stage (hence name)

result is feed back for next stage (hence name)

• standard allows any number of bit (1,8, 64 or

standard allows any number of bit (1,8, 64 or 128 etc) to be feed back 128 etc) to be feed back

 denoted CFB-1, CFB-8, CFB-64, CFB-128 etc

denoted CFB-1, CFB-8, CFB-64, CFB-128 etc

• most efficient to use all bits in block (64 or 128)

most efficient to use all bits in block (64 or 128)

C Ci

i = P

= Pi

i XOR E

XOR EK

K(C

(Ci-1

i-1)

) C C-1

• 1 = IV

= IV

• uses: stream data encryption, authentication

uses: stream data encryption, authentication

s-bit s-bit Cipher Cipher FeedBack FeedBack (CFB-s) (CFB-s)

Advantages and Limitations of Advantages and Limitations of CFB CFB

• appropriate when data arrives in bits/bytes

appropriate when data arrives in bits/bytes

• most common stream mode

most common stream mode

• limitation is need to stall while do block

limitation is need to stall while do block encryption after every n-bits encryption after every n-bits

• note that the block cipher is used in

note that the block cipher is used in encryption encryption mode at mode at both both ends ends

• errors propagate for several blocks after

errors propagate for several blocks after the error the error

Counter (CTR) Counter (CTR)

• a “new” mode, though proposed early on

a “new” mode, though proposed early on

• similar to OFB but encrypts counter value

similar to OFB but encrypts counter value rather than any feedback value rather than any feedback value

• must have a different key & counter value

must have a different key & counter value for every plaintext block (never reused) for every plaintext block (never reused)

O Oi

i = E

= EK

K(i)

(i) C Ci

i = P

= Pi

i XOR O

XOR Oi

i

• uses: high-speed network encryptions

uses: high-speed network encryptions

Counter Counter (CTR) (CTR)

Advantages and Limitations of Advantages and Limitations of CTR CTR

• efficiency

efficiency

 can do parallel encryptions in h/w or s/w

can do parallel encryptions in h/w or s/w

 can preprocess in advance of need

can preprocess in advance of need

 good for bursty high speed links

good for bursty high speed links

• random access to encrypted data blocks

random access to encrypted data blocks

• provable security (good as other modes)

provable security (good as other modes)

• but must ensure never reuse key/counter

but must ensure never reuse key/counter values, otherwise could break (cf OFB) values, otherwise could break (cf OFB)

Considerations when comparing Considerations when comparing block modes block modes

• error propagation

error propagation

 e.g. an error in an ECB will only affect 1 block

e.g. an error in an ECB will only affect 1 block

 an error with CBC only affects 2 blocks

an error with CBC only affects 2 blocks

• parallelization

parallelization

 CTR and ECB might be able to parallelize, but

CTR and ECB might be able to parallelize, but have fun trying that with CBC! have fun trying that with CBC!

• Initialization vectors, nonces, and pads

Initialization vectors, nonces, and pads

 A recurring theme, but are these a concern?

A recurring theme, but are these a concern?

Consideration for future Consideration for future discussions discussions

• how will we actually share those keys?

how will we actually share those keys?

 if we can't easily share symmetric keys, does

if we can't easily share symmetric keys, does that mean we don't really use this form of that mean we don't really use this form of cryptography? cryptography?

• is transforming the human-readable into

is transforming the human-readable into the secret really the the secret really the only

• nly use for keys?

use for keys?

• is there anything else we'd like to discuss?

is there anything else we'd like to discuss?