Outline Crypto basics, contd Stream ciphers CSci 5271 Block - PDF document

Outline Crypto basics, cont’d Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure channel University of Minnesota, Computer Science & Engineering Public-key crypto basics Public key encryption and signatures Certificational attacks Fundamental ignorance Good primitive claims no attack more effective than We don’t really know that any computational brute force cryptosystem is secure Any break is news, even if it’s not yet practical Security proof would be tantamount to proving Canary in the coal mine P ✻ ❂ ◆P E.g., ✷ ✶✷✻✿✶ attack against AES-128 Crypto is fundamentally more uncertain than other Also watched: attacks against simplified variants parts of security Relative proofs Random oracle paradigm Prove security under an unproved assumption Assume ideal model of primitives: functions selected uniformly from a large space In symmetric crypto, prove a construction is secure Anderson: elves in boxes if the primitive is Not theoretically sound; assumption cannot be Often the proof looks like: if the construction is insecure, so is the primitive satisfied Can also prove immunity against a particular kind of But seems to be safe in practice attack Pseudorandomness and distinguishers Open standards Claim: primitive cannot be distinguished from a truly How can we get good primitives? random counterpart In polynomial time with non-negligible probability Open-world best practice: run competition, invite experts to propose then attack We can build a distinguisher algorithm to exploit any weakness Run by neutral experts, e.g. US NIST Slightly too strong for most practical primitives, but a Recent good examples: AES, SHA-3 good goal

A certain three-letter agency Outline Crypto basics, cont’d Stream ciphers National Security Agency (NSA): has primary Block ciphers and modes of operation responsibility for “signals intelligence” Announcements Dual-mission tension: Hash functions and MACs Break the encryption of everyone in the world Building a secure channel Help US encryption not be broken by foreign powers Public-key crypto basics Public key encryption and signatures Stream ciphers Shift register stream ciphers Linear-feedback shift register (LFSR): easy way to Closest computational version of one-time pad generate long pseudorandom sequence Key (or seed) used to generate a long But linearity allows for attack pseudorandom bitstream Several ways to add non-linearity Closely related: cryptographic RNG Common in constrained hardware, poor security record RC4 Encryption ✻ ❂ integrity Fast, simple, widely used software stream cipher Encryption protects secrecy, not message integrity Previously a trade secret, also “ARCFOUR” For constant-size encryption, changing the Many attacks, none yet fatal to careful users (e.g. ciphertext just creates a different plaintext TLS) How will your system handle that? Famous non-careful user: WEP Now deprecated, not recommended for new uses Always need to take care of integrity separately Stream cipher mutability Stream cipher assessment Strong example of encryption vs. integrity Currently out of fashion as a primitive in software In stream cipher, flipping a ciphertext bit flips the Not inherently insecure corresponding plaintext bit, only Other common pitfall: must not reuse key(stream) Currently no widely vetted primitives Very convenient for targeted changes

Outline Basic idea Crypto basics, cont’d Stream ciphers Encryption/decryption for a fixed sized block Block ciphers and modes of operation Insecure if block size is too small Announcements Barely enough: 64 bits; current standard: 128 Hash functions and MACs Reversible, so must be one-to-one and onto function Building a secure channel Public-key crypto basics Public key encryption and signatures Pseudorandom permutation Confusion and diffusion Basic design principles articulated by Shannon Ideal model: key selects a random invertible function Confusion: combine elements so none can be I.e., permutation (PRP) on block space analyzed individually Note: not permutation on bits Diffusion: spread the effect of one symbol around to “Strong” PRP: distinguisher can decrypt as well as others encrypt Iterate multiple rounds of transformation Substitution/permutation network AES Advanced Encryption Standard: NIST contest 2001 Developed under the name Rijndael Parallel structure combining reversible elements: 128-bit block, 128/192/256-bit key Substitution: invertible lookup table (“S-box”) Fast software implementation with lookup tables (or Permutation: shuffle bits dedicated insns) Allowed by US government up to Top Secret Feistel cipher DES Data Encryption Standard: AES predecessor Split block in half, operate in turn: 1977-2005 ✭ ▲ ✐ ✰ ✶ ❀ ❘ ✐ ✰ ✶ ✮ ❂ ✭ ❘ ✐ ❀ ▲ ✐ ✟ ❋ ✭ ❘ ✐ ❀ ❑ ✐ ✮✮ 64-bit block, 56-bit key Key advantage: ❋ need not be invertible Implementable in 70s hardware, not terribly fast in Also saves space in hardware software Luby-Rackoff: if ❋ is pseudo-random, 4 or more rounds gives a strong PRP Triple DES variant still used in places

Some DES history DES brute force history 1977 est. $20m cost custom hardware Developed primarily at IBM, based on an earlier 1993 est. $1m cost custom hardware cipher named “Lucifer” Final spec helped and “helped” by the NSA 1997 distributed software break Argued for smaller key size 1998 $250k built ASIC hardware S-boxes tweaked to avoid a then-secret attack 2006 $10k FPGAs Eventually victim to brute-force attack 2012 as-a-service against MS-CHAPv2 Double encryption? Modes of operation Combine two different block ciphers? How to build a cipher for arbitrary-length data from a Belt and suspenders block cipher Anderson: don’t do it Many approaches considered FS&K: could do it, not a recommendation For some reason, most have three-letter acronyms More recently: properties susceptible to relative Maurer and Massey (J.Crypt’93): might only be as proof strong as first cipher ECB Do not use ECB Electronic CodeBook Split into blocks, apply cipher to each one individually Leaks equalities between plaintext blocks Almost never suitable for general use CBC CBC: getting an IV ❈ ✵ is called the initialization vector (IV) Cipher Block Chaining Must be known for decryption ❈ ✐ ❂ ❊ ❑ ✭ P ✐ ✟ ❈ ✐ ✲ ✶ ✮ IV should be random-looking To prevent first-block equalities from leaking (lesser Probably most popular in current systems version of ECB problem) Plaintext changes propagate forever, ciphertext Common approaches changes only one block Generate at random Encrypt a nonce

Stream modes: OFB, CTR Outline Crypto basics, cont’d Stream ciphers Output FeedBack: produce keystream by repeatedly encrypting the IV Block ciphers and modes of operation Danger: collisions lead to repeated keystream Announcements Counter: produce from encryptions of an Hash functions and MACs incrementing value Building a secure channel Recently becoming more popular: allows parallelization Public-key crypto basics and random access Public key encryption and signatures Crypto primitive question Last week’s midterm Which of these is a cryptographic primitive based on a Handing back in class today Feistel cipher design? May bring leftovers tomorrow, safest is my office hours A. DES Solution set will be available later B. AES +12 point adjustment to compensate for excessive C. DSA difficulty D. CBC Visible on Canvas, not shown on paper exams E. HMAC Midterm raw stem display Midterm adjusted stem display ✾ ⑤ ✾ ✾ ⑤ ✸✸✸✺✻✼ ✽ ⑤ ✶✶✶✸✹✺ ✽ ⑤ ✵✶✶✷✸✸✸✹✺✺✼ ✼ ⑤ ✵✶✶✶✷✸✸✺ ✼ ⑤ ✵✵✶✷✷✸✸✹✺✺✺✻✻✼✼✾ ✻ ⑤ ✵✵✶✶✷✸✸✸✹✹✺✺✼✽✾✾ ✻ ⑤ ✷✸✸✺✼✼✼✽✽✽✽✽✾✾ ✺ ⑤ ✵✶✶✸✺✺✺✻✻✻✻✻✼✼✽✽✾ ✺ ⑤ ✶✸✺ ✹ ⑤ ✶✸ ✹ ⑤ ✸ ✸ ⑤ ✶✾ ✸ ⑤ ✽✾ ✷ ⑤ ✻✼ Outline Ideal model Crypto basics, cont’d Stream ciphers Ideal crypto hash function: pseudorandom function Block ciphers and modes of operation Arbitrary input, fixed-size output Simplest kind of elf in box, theoretically very Announcements convenient Hash functions and MACs But large gap with real systems: better practice is to Building a secure channel target particular properties Public-key crypto basics Public key encryption and signatures