symmetric key crypto part 1
play

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State - PowerPoint PPT Presentation

Apr 22, 2023 •116 likes •650 views

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

  1. CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San José State University

  2. Stream Ciphers & Block Ciphers • Stream ciphers – based on the one-time pad • Block ciphers – based on codebook ciphers

  3. Symmetric Key Notation Encrypt the plaintext P with the key K to produce the ciphertext C . E(P,K) = C Decrypt the ciphertext C with the key K to produce the plaintext P . D(C,K) = P

  4. Stream Ciphers • Based on one time pad (OTP) • Not provably secure • More usable than OTP

  5. One-Time Pad Review Provably secure! Plaintext: 0101 1010 0101 1011 0101 ⨁ Key: 1011 0010 1101 1001 0001 Ciphertext: 1110 1000 1000 0010 0100

  6. One-Time Pad Review Key is as long as the original message Plaintext: 0101 1010 0101 1011 0101 ⨁ Key: 1011 0010 1101 1001 0001 Ciphertext: 1110 1000 1000 0010 0100

  7. Replacing the key with a keystream Keystream Key: 1001 1110 Generator Keystream: 1001 0011 1101 1000 … P: ⨁ 0101 1010 0101 1011 1100 0001 1000 0011 C:

  8. Two Stream Ciphers • A5/1 – Based on shift registers – Used in GSM mobile phones • RC4 – Based on changing lookup table – Used many places

  9. A5/1: Shift Registers • Uses three shift registers – Efficient in hardware – Often slow if implemented in software • The A5/1 shift registers: – X : 19 bits ( x 0 , x 1 , x 2 , …,x 18 ) – Y : 22 bits ( y 0 , y 1 , y 2 , …,y 21 ) – Z : 23 bits ( z 0 , z 1 , z 2 , …,z 22 )

  10. A5/1: Keystream • At each step: m = maj( x 8 , y 10 , z 10 ) – Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1 • If x 8 = m then X steps – t = x 13 Å x 16 Å x 17 Å x 18 – x i = x i - 1 for i = 18,17,…,1 and x 0 = t • If y 10 = m then Y steps – t = y 20 Å y 21 – y i = y i - 1 for i = 21,20,…,1 and y 0 = t • If z 10 = m then Z steps – t = z 7 Å z 20 Å z 21 Å z 22 – z i = z i - 1 for i = 22,21,…,1 and z 0 = t • Keystream bit is x 18 Å y 21 Å z 22

  11. A5/1 X x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 Å Y Å y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 y 16 y 17 y 18 y 19 y 20 y 21 Å Z z 0 z 1 z 2 z 3 z 4 z 5 z 6 z 7 z 8 z 9 z 10 z 11 z 12 z 13 z 14 z 15 z 16 z 17 z 18 z 19 z 20 z 21 z 22 Å • Each variable here is a single bit • Key is used as initial fill of registers • Each register steps (or not) based on maj ( x 8 , y 10 , z 10 ) • Keystream bit is XOR of rightmost bits of registers

  12. A5/1 X 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Å Å Y 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1 Å Z 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1 Å • In this example, m = maj( x 8 , y 10 , z 10 ) = maj( 1 , 0 , 1 ) = 1 • Register X steps, Y does not step, and Z steps • Keystream bit is XOR of right bits of registers • Here, keystream bit will be 0 Å 1 Å 0 = 1

  13. Lab 3: A5/1 exercise For the A5/1 cipher, on average how often 1. does the X register step? 2. does the Y register step? 3. does the Z register step? 4. do all 3 registers step? 5. do exactly 2 registers step? 6. does exactly 1 register step? 7. does no register step?

  14. Shift Register Crypto Efficient in hardware, but is often slow in software. With faster processors, this approach is used less often. Still useful for resource- constrained devices.

  15. Rivest Cipher 4 (RC4) • Stream cipher • Used in wireless protocols – WEP, WPA, etc. • Designed to be implemented efficiently in software. • Uses a self-modifying lookup table – vs. A5/1 shift registers. • Generates a byte at a time – vs. A5/1 bit at a time.

  16. RC4 Design • Self-modifying lookup table always contains a permutation of the byte values 0,1,…,255. • Key determines initial permutation • At each step, RC4 1. Swaps elements in current lookup table 2. Selects a keystream byte from table

  17. RC4 Initialization • S[] is permutation of 0,1,...,255 • key[] contains N bytes of key for i = 0 to 255 S[i] = i K[i] = key[i (mod N)] next i j = 0 for i = 0 to 255 j = (j + S[i] + K[i]) mod 256 swap(S[i], S[j]) next i i = j = 0

  18. RC4 Keystream • For each keystream byte, swap elements in table and select byte i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap(S[i], S[j]) t = (S[i] + S[j]) mod 256 keystreamByte = S[t] • Use keystream bytes like a one-time pad • Note: first 256 bytes should be discarded – Otherwise, related key attack exists

  19. Drill 1: Implement RC4 • Starter code at http://codecheck.it/files/170906 24307xqbujqkjinqw8trh5vng6r0e • Look for "**YOUR CODE HERE**" sections

  20. RC4 fading from popularity • Used incorrectly in WEP – related key attack • vulnerable to distinguishing attacks – random data distinguishable from RC4 encrypted data • prohibited for TLS by RFC 7465

  21. Death of Stream Ciphers? • Popular in the past – Efficient in hardware – Speed was needed to keep up with voice, etc. • Today, processors are fast – Software-based crypto is usually fast enough • Future of stream ciphers? – Shamir declared “the death of stream ciphers” – May be greatly exaggerated…

  22. Block Ciphers

  23. Review of codebook ciphers Word Codeword Plaintext: Apple 00123 Apple Durian Orange Banana 11439 Citrus 92340 Cranberry 87642 Ciphertext: Durian 58629 00123 58629 66793 Orange 66793 Strawberry 88432 Watermelon 90210

  24. Block Ciphers: Codebooks of Bytes Input Output … … OK, they are a bit 9E CB more complicated than that… 9F 80 A0 4F A1 ED A2 62 A3 9A … …

  25. (Iterated) Block Cipher • Plaintext and ciphertext consist of fixed-sized blocks • Ciphertext obtained from plaintext by iterating a round function • Input to round function consists of key and output of previous round • Usually implemented in software

  26. Feistel Ciphers • A type of cipher. • Easy to reverse encryption. – i.e. you get decryption for Horst free Feistel • Most modern block ciphers are "Feistel-ish" if not strict Feistel ciphers.

  27. Feistel Cipher: Encryption • Split plaintext block into left and right halves: P = (L 0 ,R 0 ) • For each round i = 1, 2, ..., n , compute L i = R i - 1 R i = L i - 1 Å F(R i - 1 ,K i ) where F is a round function and K i is the subkey • Ciphertext: C = (L n ,R n )

  28. Feistel Cipher: Decryption • Start with ciphertext C = (L n ,R n ) • Each round i = n,n - 1,…,1 , compute R i - 1 = L i L i - 1 = R i Å F(R i - 1 ,K i ) • F is round function and K i is subkey • Plaintext: P = (L 0 ,R 0 )

  29. Feistel cipher example (in-class)

  30. http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

  33. Data Encryption Standard (DES) • D eveloped in 1970’s • Based on IBM’s Lucifer cipher • U.S. government standard

  34. DES Controversy • NSA secretly involved – changes made without explanation • Key length reduced 128 to 56 bits • Subtle changes to Lucifer algorithm

  36. DES Numerology • Feistel cipher with… Odds of guessing key: roughly the same as winning the lottery & getting – 64 bit block length struck by lightning the same day. – 56 bit key length [Schneier 1996] – 16 rounds – 48 bits of key used each round (subkey) • Each round is simple (for a block cipher) • Security depends heavily on “S-boxes” – Each S-boxes maps 6 bits to 4 bits

  37. key L R 32 28 28 expand One shift shift 48 28 28 32 K i Round Å compress 48 48 of S-boxes 28 28 DES 32 P box 32 32 Å 32 key L R

  38. DES Expansion Permutation • Input 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 • Output 48 bits 31 0 1 2 3 4 3 4 5 6 7 8 7 8 9 10 11 12 11 12 13 14 15 16 15 16 17 18 19 20 19 20 21 22 23 24 23 24 25 26 27 28 27 28 29 30 31 0

  39. DES S-box • 8 “substitution boxes” or S-boxes • Each S-box maps 6 bits to 4 bits • S-box number 1 input bits (0,5) ¯ input bits (1,2,3,4) | 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 ------------------------------------------------------------------------------------ 00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111 01 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 1000 10 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 0000 11 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101

  40. DES P-box • Input 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 • Output 32 bits 15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9 1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24

  41. DES Subkey • 56 bit DES key, numbered 0,1,2,…,55 • Left half key bits, LK 49 42 35 28 21 14 7 0 50 43 36 29 22 15 8 1 51 44 37 30 23 16 9 2 52 45 38 31 • Right half key bits, RK 55 48 41 34 27 20 13 6 54 47 40 33 26 19 12 5 53 46 39 32 25 18 11 4 24 17 10 3

  42. DES Subkey • For rounds i=1,2,...,16 – Let LK = (LK circular shift left by r i ) – Let RK = (RK circular shift left by r i ) – Left half of subkey K i is of LK bits 13 16 10 23 0 4 2 27 14 5 20 9 22 18 11 3 25 7 15 6 26 19 12 1 – Right half of subkey K i is RK bits 12 23 2 8 18 26 1 11 22 16 4 19 15 20 10 27 5 24 17 13 21 7 0 3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x

Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x

CS 166: Information Security Symmetric Key Crypto, Part 2 Prof. Tom Austin San Jos State University REVIEW: A5/1 lab X x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 Y y 0 y 1 y 2 y 3 y 4 y 5 y

690 views • 45 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general

Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general

Actual Cryptography at the Age of Evolving Ecosystems Moti Yung, Google Talk Agenda Part I: Crypto as part of general engineering projects Part II: Adx Review Part III: Adx Crypto solutions Part IV: Conclusions From

861 views • 43 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key

1 Introduction to symmetric crypto D. J. Bernstein How HTTPS protects connection: Public-key encryption system encrypts one secret message: a random 256-bit session key. Public-key signature system stops NSAITM attacks. Fast

1.03k views • 63 slides
Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

882 views • 72 slides
DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee

DISE: DISTRIBUTED SYMMETRIC-KEY ENCRYTION Shashank Agrawal Payman Mohassel Pratyay Mukherjee Peter Rindal Threshold Cryto Has focused on public-key crypto Symmetric-key encryption got less attention Symmetric keys dont stay

338 views • 31 slides
Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian

Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian

Lightweight Symmetric Crypto on a Full Circle: From Industry to Academia and Back Christian Rechberger TU Graz and DTU Security of modern IT Systems User Secure System Communication Protocol Cryptographic Primitive Security of modern IT

523 views • 51 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands June 5, 2014 Summer School on the design and security of cryptographic algorithms and devices for real-world applications Embedded CPUs 4-bit

929 views • 70 slides
Outline Crypto basics Announcements intermission CSci 5271 Introduction to Computer Security

Outline Crypto basics Announcements intermission CSci 5271 Introduction to Computer Security

Outline Crypto basics Announcements intermission CSci 5271 Introduction to Computer Security Stream ciphers Day 15: Cryptography part 1: symmetric key Block ciphers and modes of operation Stephen McCamant Hash functions and MACs University

441 views • 9 slides
DTTF/NB479: Dszquphsbqiz Day 5 Announcements: Please pass in Assignment 1 now. Assignment

DTTF/NB479: Dszquphsbqiz Day 5 Announcements: Please pass in Assignment 1 now. Assignment

DTTF/NB479: Dszquphsbqiz Day 5 Announcements: Please pass in Assignment 1 now. Assignment 2 posted (when due?) Questions? Roll Call Today: Vigenere ciphers Invented in 1553 by Bellaso, not Vigenere Q1-2 Vigenere Ciphers Idea: the

544 views • 13 slides
Joint Research Centre the European Commission's in-house science service Serving society

Joint Research Centre the European Commission's in-house science service Serving society

Joint Research Centre the European Commission's in-house science service Serving society Stimulating innovation Supporting legislation Improved Cryptanalysis of the DECT Standard Cipher Iwen Coisel, Ignacio Sanchez CHES 2015 Saint-Malo,

408 views • 27 slides
ACCT 420: Textual analysis Session 8 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning

ACCT 420: Textual analysis Session 8 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning

ACCT 420: Textual analysis Session 8 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: Natural Language Processing Application: Analyzing a Citigroup annual report Methodology: Text analysis

1.17k views • 78 slides
CS 4700: Foundations of Artificial Intelligence Bart Selman selman@cs.cornell.edu Module:

CS 4700: Foundations of Artificial Intelligence Bart Selman selman@cs.cornell.edu Module:

CS 4700: Foundations of Artificial Intelligence Bart Selman selman@cs.cornell.edu Module: Knowledge, Reasoning, and Planning Part 1 Logical Agents R&N: Chapter 7 1 A Model-Based Agent 2 Knowledge and Reasoning Knowledge and

387 views • 28 slides
Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway Department of Informatics, University of Bergen, Bergen, Norway Boolean

377 views • 16 slides
Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3 1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories,

412 views • 25 slides
= x 1 x 2 x 3 MACs Success probability max (1/2 m , 1/2 k ) IV H 1 H 2 H 3 = h(x)

= x 1 x 2 x 3 MACs Success probability max (1/2 m , 1/2 k ) IV H 1 H 2 H 3 = h(x)

MAC Algorithms June 2013 Bart Preneel MAC algorithms MAC Algorithm Design and MAC Algorithm Design and Cryptanalysis: Basics Cryptanalysis: Basics Bart Preneel Bart Preneel KU Leuven - COSIC, Belgium KU Leuven - COSIC, Belgium

527 views • 6 slides
Game Theory and Strategy Introduction Levent Ko ckesen Ko c University Levent Ko

Game Theory and Strategy Introduction Levent Ko ckesen Ko c University Levent Ko

Game Theory and Strategy Introduction Levent Ko ckesen Ko c University Levent Ko ckesen (Ko c University) Introduction 1 / 10 Game Theory: Definition and Assumptions Game theory studies strategic interactions within a group of

232 views • 10 slides

More recommend