Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 - PowerPoint PPT Presentation

Symmetric Key Encryp.on 9/9/2009 598MAN ‐ Applied Cryptography 1

Outline • Recall: defini.ons of encryp.on – Perfect secrecy – CPA security – CCA security • Today – Prac.cal construc.ons 9/9/2009 598MAN ‐ Applied Cryptography 2

Perfect Secrecy • One‐.me pads • Prac.cal? – Has been used (exchange tapes / CDs / DVDs of random bits) – Generally, using pad only once big limita.on • OTen, people get sloppy and reuse pads – Further reading: hVp://www1.cs.columbia.edu/ ~smb/blog/2009‐08/2009‐08‐28.html 9/9/2009 598MAN ‐ Applied Cryptography 3

Two‐.me Pads? C 1 = P 1 xor keystream C 2 = P 2 xor keystream C 1 xor C 2 = P 1 xor P 2 • What can you learn from the XOR of two plaintexts? – One plaintext if you know the other – Both plaintexts if you know some sta.s.cal proper.es 9/9/2009 598MAN ‐ Applied Cryptography 4

Stream Ciphers aka PRNGs • Construc.on presented last class: – OWP => Hard core bits => PRG => PRNG • Speed evalua.on – One‐way permuta.on: Rabin func.on over QR’s – 512‐bit modulus: ~10K /s • 512‐bit # factored on single computer in 73 days! – 1024‐bit modulus: ~3K /s • 3Kbps or ~400 bytes / second • Can we do beVer? 9/9/2009 598MAN ‐ Applied Cryptography 5

RC4 • Custom‐designed stream generator – Developed by Ron Rivest @ RSA Labs – Aka ARCFOUR (“Alleged RC4”) • Efficient to implement in soTware • Key size: up to 2048 bits • Speed: – 253355.04 KB/s – ~600 000 .mes faster! 9/9/2009 598MAN ‐ Applied Cryptography 6

RC4 design • Table S – 256 8‐bit values • Ini.aliza.on for i in range(0,256): S[i] = I j = 0 for i in range(0,256): j = j + S[i] + key[i%keylen] swap(S[i],S[j]) 9/9/2009 598MAN ‐ Applied Cryptography 7

RC4 keystream genera.on i = 0 j = 0 while True: i = i+1 j = j+s[i] swap(s[i],s[j]) output(s[(s[i]+s[j]) % 256]) 9/9/2009 598MAN ‐ Applied Cryptography 8

RC4 security • Heuris.c security – People try to break it, see if it survives – Note: same as Rabin’s OWP security! • Weaknesses: – Digram sta.s.cs [Paul,Preneel’04] – Key leakage [Fluhrer,Man.n,Shamir’01] • Used to break WEP – Many others 9/9/2009 598MAN ‐ Applied Cryptography 9

RC4 use • Widely popular – SSL/TLS – SSH – WEP / WPA – BitTorrent – PDF – … • Can be made secure (heuris.cally) – Drop first n bytes (n=512 or 3072) – Use completely random keys 9/9/2009 598MAN ‐ Applied Cryptography 10

RC4 for CPA security • Is RC4 encryp.on CPA‐secure? • No! – Same plaintext encrypts to same ciphertext – Similar to one‐.me PAD • How to fix? – Different key for every use 9/9/2009 598MAN ‐ Applied Cryptography 11

Ini.aliza.on Vectors Ini.aliza.on Vectors • Can be public • Do not have to be Key Key 1 1 Keystream 1 RC4 random xor Plantext 1 • Must never be reused How do you ensure this? 1 Ciphertext 1 Key Key 2 2 Keystream 2 RC4 xor Plantext 2 2 Ciphertext 2 9/9/2009 598MAN ‐ Applied Cryptography 12

Block Ciphers • A liVle like PRF – In prac.ce, inver.ble pseudo‐random permuta.on Plaintext Ciphertext Encrypt Key Key Decrypt Ciphertext Plaintext 9/9/2009 598MAN ‐ Applied Cryptography 13

Examples • Permuta.on cipher – Block size = 1 character (~ 5bits) – Key size = 5 * 26 = 130 bits (actually ~88 bits) – Too easy to break • DES – Designed at IBM – Lucifer: 128‐bit key, 128‐bit block – NSA revision: 56‐bit key, 64‐bit block, improved S‐boxes 9/9/2009 598MAN ‐ Applied Cryptography 14

Block Size • How important is block size? – Permuta.on: same plaintext => same ciphertext • How many encryp.ons before you see two iden.cal plaintext blocks? (random plaintext, 64‐bit blocks) – 2 32 blocks ( n 1/2 , birthday paradox) • How many before you see all blocks – ~ 2 68 blocks (n log n, coupon collector) 9/9/2009 598MAN ‐ Applied Cryptography 15

Key size • How big a key size should you use? – Want to prevent brute‐force search – Note: cipher is “secure” if brute‐force search fastest approach to break it • Many people believed DES key size too small from incep.on – 1999: EFF builds DES cracker, 1.5 days, $250K – 2008: COPACOBANA, $10K, < 1 week 9/9/2009 598MAN ‐ Applied Cryptography 16

Key size selec.on • How much money does your adversary have? – 64‐bit feasible for $10K – ~87‐bit feasible for $10B! • How much .me do you want thing to stay secret? – Moore’s law (corollary): computa.onal unit becomes twice as cheap every ~2 years – 128‐bit feasible in 128 years (for $10K) – Note: key search trivially parallelizable • Further reading – www.keysize.com 9/9/2009 598MAN ‐ Applied Cryptography 17

ATer DES 3DES: Encrypt‐Decrypt‐Encrypt • – C = E k1 (D k2 (E k3 (P))) Why not 2DES? • – C = E k1 (E k2 ((P)) – Meet‐in‐the‐middle aVack E0(P) D0(C) find E1(P) D1(C) matches sort sort … … E 2 56 ‐1 (P) D 2 56 ‐1 (C) 9/9/2009 598MAN ‐ Applied Cryptography 18

AES • Contest held by NIST to design new block cipher • Winner: Rijndael (aka AES) • 128‐bit block • 128‐, 192‐, or 256‐bit key size 9/9/2009 598MAN ‐ Applied Cryptography 19

Encryp.on with AES • Split file into blocks, encrypt each with AES • Is XOR aVack s.ll possible? • Is this CPA‐secure? 9/9/2009 598MAN ‐ Applied Cryptography 20

Use IVs Plaintext1 Plaintext2 IV1 xor IV2 xor Key Encrypt Key Encrypt IV1 Ciphertext1 IV2 Ciphertext2 Ciphertext size expanded by a factor of 2! 9/9/2009 598MAN ‐ Applied Cryptography 21

CBC‐mode Plaintext1 Plaintext2 IV1 xor xor Key Encrypt Key Encrypt IV1 Ciphertext1 Ciphertext2 Re‐use previous ciphertext as IV for next block 9/9/2009 598MAN ‐ Applied Cryptography 22

Other Modes • OFB, CFB, Counter 9/9/2009 598MAN ‐ Applied Cryptography 23

CCA Security • Is CBC CCA‐secure? 9/9/2009 598MAN ‐ Applied Cryptography 24

PCBC • Propaga.ng CBC mode 9/9/2009 598MAN ‐ Applied Cryptography 25

Message Authen.ca.on Codes • IDEA: make it impossible for aVacker to generate a valid message • I.e., authen.cate message Plaintext Encrypt MAC Key Checksum Ciphertext 9/9/2009 598MAN ‐ Applied Cryptography 26

MACs • How long should a MAC be? • CBC‐MAC: – CBC‐encrypt plaintext with 0 IV – Use last encrypted block as MAC • Only secure for fixed‐length messages (why?) – Can be extended for longer messages 9/9/2009 598MAN ‐ Applied Cryptography 27

Summary • Prac.cal construc.ons for: – Perfect secrecy: one‐.me pad – CPA security: stream ciphers, block ciphers – CCA security: CPA + MAC • Take‐away: – Use AES‐CTR + CBC‐MAC (or HMAC) – If not, beVer have a good reason! 9/9/2009 598MAN ‐ Applied Cryptography 28