Computer Security: Computer Security: Principles and PracticePrinciples and Practice

First EditionFirst Editionby William Stallings and Lawrie Brownby William Stallings and Lawrie Brown

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 19 Chapter 19 –– Symmetric Encryption Symmetric Encryption and Message Confidentialityand Message Confidentiality

Symmetric Encryption and Symmetric Encryption and Message ConfidentialityMessage Confidentiality

also known as: conventional encryption, secretalso known as: conventional encryption, secret--key, or singlekey, or single--key encryptionkey encryption

only alternative before publiconly alternative before public--key crypto in 70key crypto in 70’’ssstill most widely usedstill most widely used alternativealternativehas ingredients: plaintext, encryption algorithm, secret has ingredients: plaintext, encryption algorithm, secret key, key, ciphertextciphertext, and decryption algorithm, and decryption algorithm

generically classified along dimensions of:generically classified along dimensions of:1.1. type of operations usedtype of operations used2.2. number of keys usednumber of keys used3.3. way in which the plaintext is processedway in which the plaintext is processed

CryptanalysisCryptanalysis

attacks:attacks:ciphertextciphertext only only -- least info, hardestleast info, hardestknown plaintext known plaintext -- some plain/cipher pairssome plain/cipher pairschosen plaintext chosen plaintext -- get own plain/cipher pairsget own plain/cipher pairschosen chosen ciphertextciphertext -- rarerrarerchosen text chosen text -- rarerrarer

only weak only weak algsalgs fail a fail a ciphertextciphertext--only attackonly attackusually design usually design algsalgs to withstand a knownto withstand a known--plaintext attackplaintext attack

Computationally Secure Computationally Secure AlgsAlgs

encryption is computationally secure if:encryption is computationally secure if:cost of breaking cipher exceeds info valuecost of breaking cipher exceeds info valuetime required to break cipher exceeds the time required to break cipher exceeds the useful lifetime of the infouseful lifetime of the info

usually very difficult to estimate the usually very difficult to estimate the amount of effort required to breakamount of effort required to breakcan estimate time/cost of a brutecan estimate time/cost of a brute--force force attack (see Ch 2)attack (see Ch 2)

FeistelFeistelCipher Cipher

StructureStructure

Block Cipher StructureBlock Cipher Structurehave a general iterative block cipher structurehave a general iterative block cipher structure

with a sequence of roundswith a sequence of roundswith substitutions / permutations controlled by keywith substitutions / permutations controlled by key

parameters and design features:parameters and design features:block sizeblock sizekey sizekey sizenumber of roundsnumber of roundssubkeysubkey generation algorithmgeneration algorithmround functionround functionalso: fast software en/decrypt, ease of analysisalso: fast software en/decrypt, ease of analysis

Data Encryption Standard Data Encryption Standard (DES)(DES)

Triple DES (3DES)Triple DES (3DES)first used in financial applicationsfirst used in financial applicationsin DES FIPS PUB 46in DES FIPS PUB 46--3 standard of 19993 standard of 1999uses three keys & three DES executions:uses three keys & three DES executions:

CC = E(= E(KK33, D(, D(KK22, E(, E(KK11, , PP))))))decryption same with keys reverseddecryption same with keys reverseduse of decryption in second stage gives use of decryption in second stage gives compatibility with original DES userscompatibility with original DES userseffective 168effective 168--bit key length, slow, securebit key length, slow, secureAES will eventually replace 3DESAES will eventually replace 3DES

Advanced Advanced Encryption Encryption Standard Standard

(AES)(AES)

AES Round StructureAES Round Structure

Substitute BytesSubstitute Bytes

a simple table lookup in Sa simple table lookup in S--boxboxa 16a 16××16 matrix of byte values16 matrix of byte valuesmapping old byte to a new valuemapping old byte to a new value•• e.g. {95} maps to {2A}e.g. {95} maps to {2A}

a permutation of all possible 256 8a permutation of all possible 256 8--bit valuesbit valuesconstructed using finite field propertiesconstructed using finite field properties

designed to be resistant to known designed to be resistant to known cryptanalytic attackscryptanalytic attacks

decrypt uses inverse of Sdecrypt uses inverse of S--boxbox

Shift RowsShift Rows

on encrypt left rotate each row of State by on encrypt left rotate each row of State by 0,1,2,3 bytes respectively0,1,2,3 bytes respectivelydecrypt does reversedecrypt does reverseto move individual bytes from one column to move individual bytes from one column to another and spread bytes over columnsto another and spread bytes over columns

Mix Columns & Add KeyMix Columns & Add KeyMix ColumnsMix Columns

operates on each column individuallyoperates on each column individuallymapping each byte to a new value that is a mapping each byte to a new value that is a function of all four bytes in the columnfunction of all four bytes in the columnuse of equations over finite fieldsuse of equations over finite fieldsto provide good mixing of bytes in columnto provide good mixing of bytes in column

Add Round KeyAdd Round Keysimply XOR State with bits of expanded keysimply XOR State with bits of expanded keysecurity from complexity of round key security from complexity of round key expansion and other stages of AESexpansion and other stages of AES

Stream CiphersStream Ciphers

processes input elements continuouslyprocesses input elements continuouslykey input to a pseudorandom bit generatorkey input to a pseudorandom bit generator

produces stream of random like numbersproduces stream of random like numbersunpredictable without knowing input keyunpredictable without knowing input keyXOR XOR keystreamkeystream output with plaintext bytesoutput with plaintext bytes

are faster and use far less codeare faster and use far less codedesign considerations:design considerations:

encryption sequence should have a large periodencryption sequence should have a large periodkeystreamkeystream approximates random number propertiesapproximates random number propertiesuses a sufficiently long keyuses a sufficiently long key

RC4RC4

Modes of OperationModes of Operation

block ciphers process data in blocksblock ciphers process data in blockse.g. 64e.g. 64--bits (DES, 3DES) or 128bits (DES, 3DES) or 128--bits (AES)bits (AES)

for longer messages must break upfor longer messages must break upand possibly pad end to and possibly pad end to blocksizeblocksize multiplemultiple

have 5 fivehave 5 five modes of operationmodes of operation for thisfor thisdefined in NIST SP 800defined in NIST SP 800--38A38Amodes are: ECB, CBC, CFB, OFB, CTRmodes are: ECB, CBC, CFB, OFB, CTR

Electronic Codebook (ECB)Electronic Codebook (ECB)

simplest modesimplest modesplit plaintext into blockssplit plaintext into blocksencrypt each block using the same keyencrypt each block using the same key““codebookcodebook”” because have unique because have unique ciphertextciphertext value for each plaintext blockvalue for each plaintext block

not secure for long messages since repeated not secure for long messages since repeated plaintext is seen in repeated plaintext is seen in repeated ciphertextciphertext

Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)

Cipher Feedback (CFB)Cipher Feedback (CFB)

Counter (CTR)Counter (CTR)

Location of EncryptionLocation of Encryption

Key DistributionKey Distributionsymmetric crypto needs a shared key:symmetric crypto needs a shared key:two parties A & B can achieve this by:two parties A & B can achieve this by:

A selects key, physically delivers to BA selects key, physically delivers to B3rd party select keys, physically delivers to A, B3rd party select keys, physically delivers to A, B•• reasonable for link crypto, bad for large noreasonable for link crypto, bad for large no’’s userss users

A selects new key, sends encrypted using A selects new key, sends encrypted using previous old key to Bprevious old key to B•• good for either, but security fails if any key discoveredgood for either, but security fails if any key discovered

3rd party C selects key, sends encrypted to 3rd party C selects key, sends encrypted to each of A & B using existing key with eacheach of A & B using existing key with each•• best for endbest for end--toto--end encryptionend encryption

Key DistributionKey Distribution

SummarySummary

introduced symmetric encryption basicsintroduced symmetric encryption basicsDES, 3DES and AESDES, 3DES and AESstream ciphers and RC4stream ciphers and RC4modes of operationmodes of operationlocation of encryptionlocation of encryptionkey distributionkey distribution