CPSC 257: Information Security in the Real...

transcript

CPSC 257: Information Securityin the Real World

Ewa Syta

February 2, 2016

CPSC 257 February 2, 2016 1 / 59

1 AES Alternatives

2 Modes of Operations

3 Stream Ciphers

4 Cryptanalysis

CPSC 257 Outline February 2, 2016 2 / 59

AES Alternatives

CPSC 257 AES Alternatives February 2, 2016 3 / 59

Other ciphers

There are many good block ciphers to choose from:

• Blowfish, Serpent, Twofish, Camellia, CAST-128, IDEA,RC2/RC5/RC6, SEED, Skipjack, TEA, XTEA

We will have a brief look at

• IDEA

• Blowfish

• RC6

• TEA

IDEA (International Data Encryption Algorithm)

• Invented by James Massey

• Supports 64-bit data block and 128-bit key

• 8 rounds

• Novelty: Uses mixed-mode arithmetic to produce non-linearity• Addition mod 2 combined with addition mod 216

• Lai-Massey multiplication ˜multiplication mod 216

• No explicit S-boxes required

multiplication modulo 216 + 1 bitwise XOR addition modulo 216

Image retrieved from http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

Blowfish

• Invented by Bruce Schneier

• Supports 64-bit data block and a variable key length up to 448bits

• 16 rounds

• Round function uses 4 S-boxes which map 8 bits to 32 bits

• Novelty: the S-boxes are key-dependent (determined each timeby the key)

• Invented by Ron Rivest

• Variable block size, key length, and number of rounds

• Compliant with the AES competition requirements (AES finalist)

• Novelty: data dependent rotations• Very unusual to rely on data

TEA (Tiny Encryption Algorithm)

• Invented by David Wheeler and Roger Needham

• Supports 64-bit data block and 128-bit key

• Variable number of rounds (64 rounds suggested)• “Weak” round function, hence large number of rounds

• Novelty: extremely simple, efficient and easy to implement

TEA Encryption

Assuming 32 rounds:

(K[0], K[1], K[2], K[3]) = 128 bit key

(L,R) = plaintext (64-bit block)

delta = 0x9e3779b9

sum = 0

for i = 1 to 32

sum += delta

L += ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])

R += ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3])

next i

ciphertext = (L,R)

TEA Decryption

Assuming 32 rounds:

(K[0], K[1], K[2], K[3]) = 128 bit key

(L,R) = ciphertext (64-bit block)

delta = 0x9e3779b9

sum = delta << 5

for i = 1 to 32

R -= ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3])

L -= ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])

sum -= delta

next i

plaintext = (L,R)

TEA Comments

“Almost” a Feistel cipher

• Uses + and - instead of ⊕ (XOR)

Simple, easy to implement, fast, low memory requirement, etc.

Possibly a “related key” attack.

• eXtended TEA (XTEA) eliminates related key attack (slightlymore complex).

• Simplified TEA (STEA) - insecure version used as an example forcryptanalysis.

Achieving security

Issues:

• No way to prove that a practical cipher is secure.

• Difficult to protect against unknown attacks.

Focus on preventing known attacks:

• Linear cryptanalysis is focused on finding affine approximationsto the action of a cipher.

• Differential cryptanalysis is focused on how differences in cipherinput can affect the resulting difference in the cipher output.

Achieving security

The goal is to achieve an “appropriate” levels of confusion anddiffusion.

• Avalanche effect - one bit of output changes on average one halfof random output bits (informal interpretation).

• Number of rounds vs. round complexity.

• Security vs. efficiency

• Return on investment

Modes of Operations

CPSC 257 Modes of Operations February 2, 2016 15 / 59

(Iterated) Block Cipher

Plaintext and ciphertext consist of fixed-sized blocks.

Ciphertext obtained from plaintext by iterating a round function.

• Input to round function consists of key and output of previousround.

• Output consists of one ciphertext block.

• Encryption continues until there are no plaintext blocks left.

• But what do we do with those ciphertext blocks?

Modes of Operation

Many modes - we discuss 3 most popular.

Electronic Codebook (ECB) mode

• Encrypt each block independently.

• Most obvious approach, but a bad idea.

Cipher Block Chaining (CBC) mode

• Chain the blocks together.

• More secure than ECB, virtually no extra work.

Counter Mode (CTR) mode

• Block ciphers acts like a stream cipher.

• Popular for random access.

Codebook Ciphers

Literally, a “code book” cipher.

An example from an 1888 code book:

ECB Mode

Electronic Codebook (ECB) mode.

Most obvious way to use a block cipher.

• Encrypt all plaintext blocks.

• Concatenate all resulting ciphertext blocks.

• Output ciphertext.

ECB Mode Image SourceWikipedia:Block cipher mode of operation

ECB Cut and Paste

Suppose plaintext is:

• Alice digs Bob. Trudy digs Tom.

ECB Cut and Paste

Assuming 64-bit blocks and 8-bit ASCII:

• P0 = “ Alice di”, P1 = “ gs Bob. ”,

• P2 = “ Trudy di”, P3 = “ gs Tom. ”

ECB Cut and Paste

Assuming 64-bit blocks and 8-bit ASCII:

• P0 = “ Alice di”, P1 = “ gs Bob. ”,

• P2 = “ Trudy di”, P3 = “ gs Tom. ”

Attack:

• Ciphertext: C0,C1,C2,C3.

• Trudy cuts and pastes: C0,C3,C2,C1.

• Decrypts as Alice digs Tom. Trudy digs Bob.

ECB Weakness

Suppose Pi = Pj .

• Then Ci = Cj and Trudy knows Pi = Pj .

• This gives Trudy some information, even if she does not know Pi

or Pj .

• Trudy might know Pi .

Q: Is this a serious issue?

ECB Weakness

Suppose Pi = Pj .

• Then Ci = Cj and Trudy knows Pi = Pj .

• This gives Trudy some information, even if she does not know Pi

or Pj .

• Trudy might know Pi .

Q: Is this a serious issue?

Alice hates ECB mode Image SourceWikipedia:Block cipher mode of operation

Q: Why does it happen?

CBC Mode

Cipher Block Chaining (CBC) mode.

Blocks are “chained” together in a special way that introducesdependance between them.

A random initialization vector, or IV, is required to initialize CBCmode.

• Nothing to chain the first block with.

• IV is random, but not secret

CBC Mode Image SourceWikipedia:Block cipher mode of operation

CBC Mode

Identical plaintext blocks yield different ciphertext blocks - this is verygood!

But what about errors in transmission?

• If C1 is garbled to, say, G thenP1 6= C0 ⊕ D(G ,K ), P2 6= G ⊕ D(C2,K )

• But P3 = C2 ⊕ D(C3,K ), P4 = C3 ⊕ D(C4,K ), ....

• Automatically recovers from errors!

• One damaged block propagates to two blocks.

Cut and paste is still possible, but more complex (and will causegarbles)

Alice likes CBC mode Image SourceWikipedia:Block cipher mode of operation

Q: Why does it happen?

CTR Mode

Counter Mode (CTR) mode.

• Use block cipher like a stream cipher.

• CTR is popular for random access.

• Preprocessing can greatly improve efficiency.

• No need to have full blocks of data.

• No error propagation in case of loss or damage.

• Never recovers from IV errors.

• Critical not to reuse IV.

CTR Mode Image SourceWikipedia:Block cipher mode of operation

Stream Ciphers

CPSC 257 Stream Ciphers February 2, 2016 32 / 59

Symmetric Key Crypto

Stream cipher - generalized one-time pad.

• Except that key is relatively short.

• Key is stretched into a long keystream.

• Keystream is used just like a one-time pad.

Block cipher - generalized codebook.

• Block cipher key determines a codebook.

• Each key yields a different codebook.

• Employs both confusion and diffusion.

Stream Ciphers

Stream ciphers used to be very popular. Today, not as popular asblock ciphers.

We will discuss two stream ciphers.

• Based on shift registers.

• Used in GSM mobile phone system.

• Based on a changing lookup table.

• Used many places.

A5/1 is used to provide over-the-air communication security in theGSM cellular telephone standard in Europe and the United States.

It was initially kept secret, but became public knowledge throughleaks and reverse engineering. Remember Big Idea #3?

A number of feasible attacks known. It is insecure.

A5/1: Shift Registers

Shift register:

• Cascade of connected flip-flops, sharing the same clock, in whichthe output of one is the input of the next one.

• Shifts by one position and shifts out the last bit in the register.

• May feed back some information.

A5/1 uses 3 shift registers.

• X : 19 bits (x0, x1, x2, ..., x18)

• Y : 22 bits (y0, y1, y2, ..., y21)

• Z : 23 bits (z0, z1, z2, ..., z22)

y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21

z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22

x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18

• Each variable here is a single bit.

• Key is used as initial fill of registers.

• Each register steps (or not) based on maj(x8, y10, z10).

• Keystream bit is XOR of rightmost bits of registers

A5/1: Keystream

At each iteration: m = maj(x8, y10, z10)

• Examples: maj(0, 1, 0) = 0 and maj(1, 1, 0) = 1

If x8 = m then X steps

• t = x13 ⊕ x16 ⊕ x17 ⊕ x18

• xi = xi−1 for i = 18, 17, . . . , 1 and x0 = t

If y10 = m then Y steps

• t = y20 ⊕ y21

• yi = yi−1 for i = 21, 20, . . . , 1 and y0 = t

If z10 = m then Z steps

• t = z7 ⊕ z20 ⊕ z21 ⊕ z22

• zi = zi−1 for i = 22, 21, . . . , 1 and z0 = t

Keystream bit is x18 ⊕ y21 ⊕ z22

A5/1: Example

1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1

1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1

1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

• In this example, m = maj(x8, y10, z10) = maj(1, 0, 1) = 1.

• Register X steps, Y does not step, and Z steps.

• Keystream bit is XOR of right bits of registers.

• Here, keystream bit will be 0⊕ 1⊕ 0 = 1.

Shift Register Crypto

Shift register crypto efficient in hardware.

• But often slow if implemented in software.

In the past, very, very popular.

• Today, more is done in software due to fast processors.

Shift register crypto still used some.

• Especially in resource-constrained devices.

RC4 = Rivest Cipher 4, also known as ARC4 or ARCFOUR.

Remarkable simplicity and speed in software.

Particularly problematic uses of RC4 have led to very insecureprotocols such as WEP (Wired Equivalent Privacy).

Many attacks known.

A self-modifying lookup table.

Table always contains a permutation of the byte values 0, 1, . . . , 255.

Initialize the permutation using the key.

At each step, RC4 does the following

• Swaps elements in current lookup table.

• Selects a keystream byte from table

Each step of RC4 produces a byte.

• Efficient in software.

Each step of A5/1 produces only a bit.

• Efficient in hardware

RC4 Initialization

S [] is permutation of 0, 1, . . . , 255. key [] contains N bytes of key.

for i = 0 to 255

S[i] = i

K[i] = key[i (mod N)]

next i

for i = 0 to 255

j = (j + S[i] + K[i]) mod 256

swap(S[i], S[j])

next i

i = j = 0

RC4 Keystream

At each step, swap elements in table and select keystream byte

i = (i + 1) mod 256

j = (j + S[i]) mod 256

swap(S[i], S[j])

t = (S[i] + S[j]) mod 256

keystreamByte = S[t]

Use keystream bytes like a one-time pad.

Note: first 256 bytes should be discarded.

• Otherwise, related key attack exists.

Stream Ciphers

Stream ciphers were popular in the past.

• Efficient in hardware.

• Speed was needed to keep up with voice, etc.

• Today, processors are fast, so software-based crypto is usuallymore than fast enough.

Future of stream ciphers?

• Shamir declared “the death of stream ciphers”.

• May be greatly exaggerated...

Cryptanalysis

CPSC 257 Cryptanalysis February 2, 2016 46 / 59

Let’s revisit what we have learned about security and breaking it.

Crypto as a black box

plaintext

key key

ciphertext

encrypt decrypt P P C

plaintext

Who knows what?

plaintext

key key

ciphertext

plaintext

Alice Bob Trudy

Trudy knows the ciphertext.Trudy knows the cipher and how it works.Trudy might know a little more.Trudy does not know the key.

Who knows what?

plaintext

private key public key

ciphertext

plaintext

Alice Bob Trudy

Trudy knows the ciphertext.Trudy knows the cipher and how it works.Trudy might know a little more.Trudy does not know the private key but she knows the public key.

Trudy’s goals

Trudy wants learn something. Trudy is not bound by any rules. Shecan do as she wishes with the information she has available.

We don’t want her to be able to:

• Recover the key.

• Find the plaintext to a ciphertext.

• Determine any character to the plaintext.

• Derive any meaningful information about the plaintext.

• Compute any function of the plaintext.

Q: What is one property of a plaintext very difficult to hide?

Exhaustive Key Search

Exhaustive key search - Trudy can simply try all possible keys and testeach to see if it is correct.

• Remember, she has some ciphertexts so she knows when shefound the right key.

To prevent an exhaustive key search, a cryptosystem must have alarge keyspace.

• The set of all possible keys that can be used to generate a key.

• Must be too many keys for Trudy to try them all in anyreasonable amount of time.

Beyond Exhaustive Search

A large keyspace is necessary for security.

But a large keyspace is not sufficient.

• Shortcut attacks might exist.

• In cryptography we can (almost) never prove that no shortcutattack exists

Definition of Secure

A cryptosystem is secure if the best know attack is to try all possiblekeys.

Cryptosystem is insecure if any shortcut attack is known.

The size of the keyspace is the “advertised” level of security.

• The larger, the better!

Types of attacks

Ciphertext-only attack (COA)

• Trudy has access only to a set of ciphertexts.

Known-plaintext attack (KPA)

• Trudy has access to pairs of plaintext and ciphertext.

Chosen-plaintext attack (CPA)

• Trudy can obtain ciphertexts for arbitrary plaintexts.

Adaptive chosen-plaintext attack (CPA2)

• Trudy can obtain the ciphertexts of additional plaintexts afterseeing the ciphertexts for some plaintexts.

Types of attacks

Chosen-ciphertext attack (CCA)

• Trudy can obtain plaintexts (decryptions) for arbitraryciphertexts.

Adaptive chosen-plaintext attack (CCA2)

• Trudy can obtain the plaintexts of additional ciphertexts afterseeing the plaintexts for some ciphertexts.

Types of attacks

Depending on the type of cipher (symmetric vs. asymmetric),different attacks available to Trudy.

• Ciphertext-only attack

• Known-plaintext attack

• Chosen-plaintext attack / Adaptive chosen-plaintext attack

• Chosen-ciphertext attack / Adaptive chosen-ciphertext attack

Security Notions

Information-theoretic security

• Hold against computationally unbounded adversary.

• The adversary simply does not have enough information to breakthe encryption.

Computational security

• Hold against computationally bounded adversary.

• Adversary can succeed with some very small probability.

Security Notions

Symmetric Crypto

• Compared against known attacks or cryptanalytic approaches.

• Measured with respect to known metrics (avalanche effect).

Asymmetric Crypto

• Offers proofs of security.

• Based on computationally difficult problems.

CPSC 257: Information Security in the Real...

Documents