Outline Crypto basics Announcements intermission CSci 5271 Introduction to Computer Security Stream ciphers Day 15: Cryptography part 1: symmetric key Block ciphers and modes of operation Stephen McCamant Hash functions and MACs University of Minnesota, Computer Science & Engineering Building a secure channel -ography, -ology, -analysis Caesar cipher Cryptography (narrow sense): designing encryption Advance three letters in alphabet: ❆ ✦ ❉❀ ❇ ✦ ❊❀ ✿ ✿ ✿ Cryptanalysis: breaking encryption Decrypt by going back three letters Cryptology: both of the above Internet-era variant: rot-13 Code (narrow sense): word-for-concept substitution Easy to break if you know the principle Cipher: the “codes” we actually care about Keys and Kerckhoffs’s principle Symmetric vs. public key Symmetric key (today’s lecture): one key used by all The only secret part of the cipher is a key participants Security does not depend on anything else being Public key: one key kept secret, another published secret Techniques invented in 1970s Modern (esp. civilian, academic) crypto embraces Makes key distribution easier openness quite strongly Depends on fancier math Goal: secure channel One-time pad Leaks no content information Secret key is truly random data as long as message Not protected: size, timing Encrypt by XOR (more generally addition mod Messages delivered intact and in order alphabet size) Or not at all Provides perfect, “information-theoretic” secrecy Even if an adversary can read, insert, and delete No way to get around key size requirement traffic
Computational security Key sizes and security levels Difficulty measured in powers of two, ignore small More realistic: assume adversary has a limit on constant factors computing power Secure if breaking encryption is computationally Power of attack measured by number of steps, aim infeasible for better than brute force ✷ ✸✷ definitely too easy, probably ✷ ✻✹ too E.g., exponential-time brute-force search Ties cryptography to complexity theory Modern symmetric key size: at least ✷ ✶✷✽ Crypto primitives Attacks on encryption Known ciphertext Base complicated systems on a minimal number of Weakest attack simple operations Known plaintext (and corresponding ciphertext) Designed to be fast, secure in wide variety of uses Chosen plaintext Study those primitives very intensely Chosen ciphertext (and plaintext) Strongest version: adaptive Certificational attacks Fundamental ignorance Good primitive claims no attack more effective than We don’t really know that any computational brute force cryptosystem is secure Any break is news, even if it’s not yet practical Security proof would be tantamount to proving Canary in the coal mine P ✻ ❂ ◆P E.g., ✷ ✶✷✻✿✶ attack against AES-128 Crypto is fundamentally more uncertain than other Also watched: attacks against simplified variants parts of security Relative proofs Random oracle paradigm Prove security under an unproved assumption Assume ideal model of primitives: functions selected uniformly from a large space In symmetric crypto, prove a construction is secure Anderson: elves in boxes if the primitive is Not theoretically sound; assumption cannot be Often the proof looks like: if the construction is insecure, so is the primitive satisfied Can also prove immunity against a particular kind of But seems to be safe in practice attack
Pseudorandomness and distinguishers Open standards Claim: primitive cannot be distinguished from a truly How can we get good primitives? random counterpart Open-world best practice: run competition, invite In polynomial time with non-negligible probability experts to propose then attack We can build a distinguisher algorithm to exploit any weakness Run by neutral experts, e.g. US NIST Slightly too strong for most practical primitives, but a Recent good examples: AES, SHA-3 good goal A certain three-letter agency Outline Crypto basics Announcements intermission National Security Agency (NSA): has primary responsibility for “signals intelligence” Stream ciphers Dual-mission tension: Block ciphers and modes of operation Break the encryption of everyone in the world Help US encryption not be broken by foreign powers Hash functions and MACs Building a secure channel Note to early readers Outline Crypto basics Announcements intermission This is the section of the slides most likely to change Stream ciphers in the final version If class has already happened, make sure you have Block ciphers and modes of operation the latest slides for announcements Hash functions and MACs Building a secure channel Stream ciphers Shift register stream ciphers Linear-feedback shift register (LFSR): easy way to Closest computational version of one-time pad generate long pseudorandom sequence Key (or seed) used to generate a long But linearity allows for attack pseudorandom bitstream Several ways to add non-linearity Closely related: cryptographic RNG Common in constrained hardware, poor security record
RC4 Encryption ✻ ❂ integrity Fast, simple, widely used software stream cipher Encryption protects secrecy, not message integrity Previously a trade secret, also “ARCFOUR” For constant-size encryption, changing the Many attacks, none yet fatal to careful users (e.g. ciphertext just creates a different plaintext TLS) How will your system handle that? Famous non-careful user: WEP Now deprecated, not recommended for new uses Always need to take care of integrity separately Stream cipher mutability Stream cipher assessment Strong example of encryption vs. integrity Currently out of fashion as a primitive in software In stream cipher, flipping a ciphertext bit flips the Not inherently insecure corresponding plaintext bit, only Other common pitfall: must not reuse key(stream) Currently no widely vetted primitives Very convenient for targeted changes Outline Basic idea Crypto basics Announcements intermission Encryption/decryption for a fixed sized block Stream ciphers Insecure if block size is too small Barely enough: 64 bits; current standard: 128 Block ciphers and modes of operation Reversible, so must be one-to-one and onto function Hash functions and MACs Building a secure channel Pseudorandom permutation Confusion and diffusion Basic design principles articulated by Shannon Ideal model: key selects a random invertible function Confusion: combine elements so none can be I.e., permutation (PRP) on block space analyzed individually Note: not permutation on bits Diffusion: spread the effect of one symbol around to “Strong” PRP: distinguisher can decrypt as well as others encrypt Iterate multiple rounds of transformation
Substitution/permutation network AES Advanced Encryption Standard: NIST contest 2001 Developed under the name Rijndael Parallel structure combining reversible elements: 128-bit block, 128/192/256-bit key Substitution: invertible lookup table (“S-box”) Fast software implementation with lookup tables (or Permutation: shuffle bits dedicated insns) Allowed by US government up to Top Secret Feistel cipher DES Data Encryption Standard: AES predecessor Split block in half, operate in turn: 1977-2005 ✭ ▲ ✐ ✰ ✶ ❀ ❘ ✐ ✰ ✶ ✮ ❂ ✭ ❘ ✐ ❀ ▲ ✐ ✟ ❋ ✭ ❘ ✐ ❀ ❑ ✐ ✮✮ 64-bit block, 56-bit key Key advantage: ❋ need not be invertible Implementable in 70s hardware, not terribly fast in Also saves space in hardware software Luby-Rackoff: if ❋ is pseudo-random, 4 or more rounds gives a strong PRP Triple DES variant still used in places Some DES history DES brute force history 1977 est. $20m cost custom hardware Developed primarily at IBM, based on an earlier 1993 est. $1m cost custom hardware cipher named “Lucifer” Final spec helped and “helped” by the NSA 1997 distributed software break Argued for smaller key size 1998 $250k built ASIC hardware S-boxes tweaked to avoid a then-secret attack 2006 $10k FPGAs Eventually victim to brute-force attack 2012 as-a-service against MS-CHAPv2 Double encryption? Modes of operation Combine two different block ciphers? How to build a cipher for arbitrary-length data from a Belt and suspenders block cipher Anderson: don’t do it Many approaches considered FS&K: could do it, not a recommendation For some reason, most have three-letter acronyms Maurer and Massey (J.Crypt’93): might only be as More recently: properties susceptible to relative proof strong as first cipher
Recommend
More recommend
