CPSC 257: Information Securityin the Real World
Ewa Syta
February 2, 2016
CPSC 257 February 2, 2016 1 / 59
1 AES Alternatives
2 Modes of Operations
3 Stream Ciphers
4 Cryptanalysis
CPSC 257 Outline February 2, 2016 2 / 59
AES Alternatives
CPSC 257 AES Alternatives February 2, 2016 3 / 59
Other ciphers
There are many good block ciphers to choose from:
• Blowfish, Serpent, Twofish, Camellia, CAST-128, IDEA,RC2/RC5/RC6, SEED, Skipjack, TEA, XTEA
We will have a brief look at
• IDEA
• Blowfish
• RC6
• TEA
CPSC 257 AES Alternatives February 2, 2016 4 / 59
IDEA (International Data Encryption Algorithm)
• Invented by James Massey
• Supports 64-bit data block and 128-bit key
• 8 rounds
• Novelty: Uses mixed-mode arithmetic to produce non-linearity• Addition mod 2 combined with addition mod 216
• Lai-Massey multiplication ˜multiplication mod 216
• No explicit S-boxes required
CPSC 257 AES Alternatives February 2, 2016 5 / 59
multiplication modulo 216 + 1 bitwise XOR addition modulo 216
Image retrieved from http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
CPSC 257 AES Alternatives February 2, 2016 6 / 59
Blowfish
• Invented by Bruce Schneier
• Supports 64-bit data block and a variable key length up to 448bits
• 16 rounds
• Round function uses 4 S-boxes which map 8 bits to 32 bits
• Novelty: the S-boxes are key-dependent (determined each timeby the key)
CPSC 257 AES Alternatives February 2, 2016 7 / 59
RC6
• Invented by Ron Rivest
• Variable block size, key length, and number of rounds
• Compliant with the AES competition requirements (AES finalist)
• Novelty: data dependent rotations• Very unusual to rely on data
CPSC 257 AES Alternatives February 2, 2016 8 / 59
TEA (Tiny Encryption Algorithm)
• Invented by David Wheeler and Roger Needham
• Supports 64-bit data block and 128-bit key
• Variable number of rounds (64 rounds suggested)• “Weak” round function, hence large number of rounds
• Novelty: extremely simple, efficient and easy to implement
CPSC 257 AES Alternatives February 2, 2016 9 / 59
TEA Encryption
Assuming 32 rounds:
(K[0], K[1], K[2], K[3]) = 128 bit key
(L,R) = plaintext (64-bit block)
delta = 0x9e3779b9
sum = 0
for i = 1 to 32
sum += delta
L += ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])
R += ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3])
next i
ciphertext = (L,R)
CPSC 257 AES Alternatives February 2, 2016 10 / 59
TEA Decryption
Assuming 32 rounds:
(K[0], K[1], K[2], K[3]) = 128 bit key
(L,R) = ciphertext (64-bit block)
delta = 0x9e3779b9
sum = delta << 5
for i = 1 to 32
R -= ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3])
L -= ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])
sum -= delta
next i
plaintext = (L,R)
CPSC 257 AES Alternatives February 2, 2016 11 / 59
TEA Comments
“Almost” a Feistel cipher
• Uses + and - instead of ⊕ (XOR)
Simple, easy to implement, fast, low memory requirement, etc.
Possibly a “related key” attack.
• eXtended TEA (XTEA) eliminates related key attack (slightlymore complex).
• Simplified TEA (STEA) - insecure version used as an example forcryptanalysis.
CPSC 257 AES Alternatives February 2, 2016 12 / 59
Achieving security
Issues:
• No way to prove that a practical cipher is secure.
• Difficult to protect against unknown attacks.
Focus on preventing known attacks:
• Linear cryptanalysis is focused on finding affine approximationsto the action of a cipher.
• Differential cryptanalysis is focused on how differences in cipherinput can affect the resulting difference in the cipher output.
CPSC 257 AES Alternatives February 2, 2016 13 / 59
Achieving security
The goal is to achieve an “appropriate” levels of confusion anddiffusion.
• Avalanche effect - one bit of output changes on average one halfof random output bits (informal interpretation).
• Number of rounds vs. round complexity.
• Security vs. efficiency
• Return on investment
CPSC 257 AES Alternatives February 2, 2016 14 / 59
Modes of Operations
CPSC 257 Modes of Operations February 2, 2016 15 / 59
(Iterated) Block Cipher
Plaintext and ciphertext consist of fixed-sized blocks.
Ciphertext obtained from plaintext by iterating a round function.
• Input to round function consists of key and output of previousround.
• Output consists of one ciphertext block.
• Encryption continues until there are no plaintext blocks left.
• But what do we do with those ciphertext blocks?
CPSC 257 Modes of Operations February 2, 2016 16 / 59
Modes of Operation
Many modes - we discuss 3 most popular.
Electronic Codebook (ECB) mode
• Encrypt each block independently.
• Most obvious approach, but a bad idea.
Cipher Block Chaining (CBC) mode
• Chain the blocks together.
• More secure than ECB, virtually no extra work.
Counter Mode (CTR) mode
• Block ciphers acts like a stream cipher.
• Popular for random access.
CPSC 257 Modes of Operations February 2, 2016 17 / 59
Codebook Ciphers
Literally, a “code book” cipher.
An example from an 1888 code book:
CPSC 257 Modes of Operations February 2, 2016 18 / 59
ECB Mode
Electronic Codebook (ECB) mode.
Most obvious way to use a block cipher.
• Encrypt all plaintext blocks.
• Concatenate all resulting ciphertext blocks.
• Output ciphertext.
CPSC 257 Modes of Operations February 2, 2016 19 / 59
ECB Mode Image SourceWikipedia:Block cipher mode of operation
CPSC 257 Modes of Operations February 2, 2016 20 / 59
ECB Cut and Paste
Suppose plaintext is:
• Alice digs Bob. Trudy digs Tom.
CPSC 257 Modes of Operations February 2, 2016 21 / 59
ECB Cut and Paste
Suppose plaintext is:
• Alice digs Bob. Trudy digs Tom.
Assuming 64-bit blocks and 8-bit ASCII:
• P0 = “ Alice di”, P1 = “ gs Bob. ”,
• P2 = “ Trudy di”, P3 = “ gs Tom. ”
CPSC 257 Modes of Operations February 2, 2016 22 / 59
ECB Cut and Paste
Suppose plaintext is:
• Alice digs Bob. Trudy digs Tom.
Assuming 64-bit blocks and 8-bit ASCII:
• P0 = “ Alice di”, P1 = “ gs Bob. ”,
• P2 = “ Trudy di”, P3 = “ gs Tom. ”
Attack:
• Ciphertext: C0,C1,C2,C3.
• Trudy cuts and pastes: C0,C3,C2,C1.
• Decrypts as Alice digs Tom. Trudy digs Bob.
CPSC 257 Modes of Operations February 2, 2016 23 / 59
ECB Weakness
Suppose Pi = Pj .
• Then Ci = Cj and Trudy knows Pi = Pj .
• This gives Trudy some information, even if she does not know Pi
or Pj .
• Trudy might know Pi .
Q: Is this a serious issue?
CPSC 257 Modes of Operations February 2, 2016 24 / 59
ECB Weakness
Suppose Pi = Pj .
• Then Ci = Cj and Trudy knows Pi = Pj .
• This gives Trudy some information, even if she does not know Pi
or Pj .
• Trudy might know Pi .
Q: Is this a serious issue?
CPSC 257 Modes of Operations February 2, 2016 24 / 59
Alice hates ECB mode Image SourceWikipedia:Block cipher mode of operation
Q: Why does it happen?
CPSC 257 Modes of Operations February 2, 2016 25 / 59
CBC Mode
Cipher Block Chaining (CBC) mode.
Blocks are “chained” together in a special way that introducesdependance between them.
A random initialization vector, or IV, is required to initialize CBCmode.
• Nothing to chain the first block with.
• IV is random, but not secret
CPSC 257 Modes of Operations February 2, 2016 26 / 59
CBC Mode Image SourceWikipedia:Block cipher mode of operation
CPSC 257 Modes of Operations February 2, 2016 27 / 59
CBC Mode
Identical plaintext blocks yield different ciphertext blocks - this is verygood!
But what about errors in transmission?
• If C1 is garbled to, say, G thenP1 6= C0 ⊕ D(G ,K ), P2 6= G ⊕ D(C2,K )
• But P3 = C2 ⊕ D(C3,K ), P4 = C3 ⊕ D(C4,K ), ....
• Automatically recovers from errors!
• One damaged block propagates to two blocks.
Cut and paste is still possible, but more complex (and will causegarbles)
CPSC 257 Modes of Operations February 2, 2016 28 / 59
Alice likes CBC mode Image SourceWikipedia:Block cipher mode of operation
Q: Why does it happen?
CPSC 257 Modes of Operations February 2, 2016 29 / 59
CTR Mode
Counter Mode (CTR) mode.
• Use block cipher like a stream cipher.
• CTR is popular for random access.
• Preprocessing can greatly improve efficiency.
• No need to have full blocks of data.
• No error propagation in case of loss or damage.
• Never recovers from IV errors.
• Critical not to reuse IV.
CPSC 257 Modes of Operations February 2, 2016 30 / 59
CTR Mode Image SourceWikipedia:Block cipher mode of operation
CPSC 257 Modes of Operations February 2, 2016 31 / 59
Stream Ciphers
CPSC 257 Stream Ciphers February 2, 2016 32 / 59
Symmetric Key Crypto
Stream cipher - generalized one-time pad.
• Except that key is relatively short.
• Key is stretched into a long keystream.
• Keystream is used just like a one-time pad.
Block cipher - generalized codebook.
• Block cipher key determines a codebook.
• Each key yields a different codebook.
• Employs both confusion and diffusion.
CPSC 257 Stream Ciphers February 2, 2016 33 / 59
Stream Ciphers
Stream ciphers used to be very popular. Today, not as popular asblock ciphers.
We will discuss two stream ciphers.
A5/1
• Based on shift registers.
• Used in GSM mobile phone system.
RC4
• Based on a changing lookup table.
• Used many places.
CPSC 257 Stream Ciphers February 2, 2016 34 / 59
A5/1
A5/1 is used to provide over-the-air communication security in theGSM cellular telephone standard in Europe and the United States.
It was initially kept secret, but became public knowledge throughleaks and reverse engineering. Remember Big Idea #3?
A number of feasible attacks known. It is insecure.
CPSC 257 Stream Ciphers February 2, 2016 35 / 59
A5/1: Shift Registers
Shift register:
• Cascade of connected flip-flops, sharing the same clock, in whichthe output of one is the input of the next one.
• Shifts by one position and shifts out the last bit in the register.
• May feed back some information.
A5/1 uses 3 shift registers.
• X : 19 bits (x0, x1, x2, ..., x18)
• Y : 22 bits (y0, y1, y2, ..., y21)
• Z : 23 bits (z0, z1, z2, ..., z22)
CPSC 257 Stream Ciphers February 2, 2016 36 / 59
A5/1
y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21
z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22
X
Y
Z
⊕
⊕
⊕
⊕
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18
• Each variable here is a single bit.
• Key is used as initial fill of registers.
• Each register steps (or not) based on maj(x8, y10, z10).
• Keystream bit is XOR of rightmost bits of registers
CPSC 257 Stream Ciphers February 2, 2016 37 / 59
A5/1: Keystream
At each iteration: m = maj(x8, y10, z10)
• Examples: maj(0, 1, 0) = 0 and maj(1, 1, 0) = 1
If x8 = m then X steps
• t = x13 ⊕ x16 ⊕ x17 ⊕ x18
• xi = xi−1 for i = 18, 17, . . . , 1 and x0 = t
If y10 = m then Y steps
• t = y20 ⊕ y21
• yi = yi−1 for i = 21, 20, . . . , 1 and y0 = t
If z10 = m then Z steps
• t = z7 ⊕ z20 ⊕ z21 ⊕ z22
• zi = zi−1 for i = 22, 21, . . . , 1 and z0 = t
Keystream bit is x18 ⊕ y21 ⊕ z22
CPSC 257 Stream Ciphers February 2, 2016 38 / 59
A5/1: Example
1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1
1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1
X
Y
Z
⊕
⊕
⊕
⊕
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
• In this example, m = maj(x8, y10, z10) = maj(1, 0, 1) = 1.
• Register X steps, Y does not step, and Z steps.
• Keystream bit is XOR of right bits of registers.
• Here, keystream bit will be 0⊕ 1⊕ 0 = 1.
CPSC 257 Stream Ciphers February 2, 2016 39 / 59
Shift Register Crypto
Shift register crypto efficient in hardware.
• But often slow if implemented in software.
In the past, very, very popular.
• Today, more is done in software due to fast processors.
Shift register crypto still used some.
• Especially in resource-constrained devices.
CPSC 257 Stream Ciphers February 2, 2016 40 / 59
RC4
RC4 = Rivest Cipher 4, also known as ARC4 or ARCFOUR.
Remarkable simplicity and speed in software.
Particularly problematic uses of RC4 have led to very insecureprotocols such as WEP (Wired Equivalent Privacy).
Many attacks known.
CPSC 257 Stream Ciphers February 2, 2016 41 / 59
RC4
A self-modifying lookup table.
Table always contains a permutation of the byte values 0, 1, . . . , 255.
Initialize the permutation using the key.
At each step, RC4 does the following
• Swaps elements in current lookup table.
• Selects a keystream byte from table
Each step of RC4 produces a byte.
• Efficient in software.
Each step of A5/1 produces only a bit.
• Efficient in hardware
CPSC 257 Stream Ciphers February 2, 2016 42 / 59
RC4 Initialization
S [] is permutation of 0, 1, . . . , 255. key [] contains N bytes of key.
for i = 0 to 255
S[i] = i
K[i] = key[i (mod N)]
next i
j = 0
for i = 0 to 255
j = (j + S[i] + K[i]) mod 256
swap(S[i], S[j])
next i
i = j = 0
CPSC 257 Stream Ciphers February 2, 2016 43 / 59
RC4 Keystream
At each step, swap elements in table and select keystream byte
i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
t = (S[i] + S[j]) mod 256
keystreamByte = S[t]
Use keystream bytes like a one-time pad.
Note: first 256 bytes should be discarded.
• Otherwise, related key attack exists.
CPSC 257 Stream Ciphers February 2, 2016 44 / 59
Stream Ciphers
Stream ciphers were popular in the past.
• Efficient in hardware.
• Speed was needed to keep up with voice, etc.
• Today, processors are fast, so software-based crypto is usuallymore than fast enough.
Future of stream ciphers?
• Shamir declared “the death of stream ciphers”.
• May be greatly exaggerated...
CPSC 257 Stream Ciphers February 2, 2016 45 / 59
Cryptanalysis
CPSC 257 Cryptanalysis February 2, 2016 46 / 59
Let’s revisit what we have learned about security and breaking it.
CPSC 257 Cryptanalysis February 2, 2016 47 / 59
Crypto as a black box
plaintext
key key
ciphertext
encrypt decrypt P P C
plaintext
CPSC 257 Cryptanalysis February 2, 2016 48 / 59
Who knows what?
plaintext
key key
ciphertext
encrypt decrypt P P C
plaintext
Alice Bob Trudy
Trudy knows the ciphertext.Trudy knows the cipher and how it works.Trudy might know a little more.Trudy does not know the key.
CPSC 257 Cryptanalysis February 2, 2016 49 / 59
Who knows what?
plaintext
private key public key
ciphertext
encrypt decrypt P P C
plaintext
Alice Bob Trudy
Trudy knows the ciphertext.Trudy knows the cipher and how it works.Trudy might know a little more.Trudy does not know the private key but she knows the public key.
CPSC 257 Cryptanalysis February 2, 2016 50 / 59
Trudy’s goals
Trudy wants learn something. Trudy is not bound by any rules. Shecan do as she wishes with the information she has available.
We don’t want her to be able to:
• Recover the key.
• Find the plaintext to a ciphertext.
• Determine any character to the plaintext.
• Derive any meaningful information about the plaintext.
• Compute any function of the plaintext.
Q: What is one property of a plaintext very difficult to hide?
CPSC 257 Cryptanalysis February 2, 2016 51 / 59
Exhaustive Key Search
Exhaustive key search - Trudy can simply try all possible keys and testeach to see if it is correct.
• Remember, she has some ciphertexts so she knows when shefound the right key.
To prevent an exhaustive key search, a cryptosystem must have alarge keyspace.
• The set of all possible keys that can be used to generate a key.
• Must be too many keys for Trudy to try them all in anyreasonable amount of time.
CPSC 257 Cryptanalysis February 2, 2016 52 / 59
Beyond Exhaustive Search
A large keyspace is necessary for security.
But a large keyspace is not sufficient.
• Shortcut attacks might exist.
• In cryptography we can (almost) never prove that no shortcutattack exists
CPSC 257 Cryptanalysis February 2, 2016 53 / 59
Definition of Secure
A cryptosystem is secure if the best know attack is to try all possiblekeys.
Cryptosystem is insecure if any shortcut attack is known.
The size of the keyspace is the “advertised” level of security.
• The larger, the better!
CPSC 257 Cryptanalysis February 2, 2016 54 / 59
Types of attacks
Ciphertext-only attack (COA)
• Trudy has access only to a set of ciphertexts.
Known-plaintext attack (KPA)
• Trudy has access to pairs of plaintext and ciphertext.
Chosen-plaintext attack (CPA)
• Trudy can obtain ciphertexts for arbitrary plaintexts.
Adaptive chosen-plaintext attack (CPA2)
• Trudy can obtain the ciphertexts of additional plaintexts afterseeing the ciphertexts for some plaintexts.
CPSC 257 Cryptanalysis February 2, 2016 55 / 59
Types of attacks
Chosen-ciphertext attack (CCA)
• Trudy can obtain plaintexts (decryptions) for arbitraryciphertexts.
Adaptive chosen-plaintext attack (CCA2)
• Trudy can obtain the plaintexts of additional ciphertexts afterseeing the plaintexts for some ciphertexts.
CPSC 257 Cryptanalysis February 2, 2016 56 / 59
Types of attacks
Depending on the type of cipher (symmetric vs. asymmetric),different attacks available to Trudy.
• Ciphertext-only attack
• Known-plaintext attack
• Chosen-plaintext attack / Adaptive chosen-plaintext attack
• Chosen-ciphertext attack / Adaptive chosen-ciphertext attack
CPSC 257 Cryptanalysis February 2, 2016 57 / 59
Security Notions
Information-theoretic security
• Hold against computationally unbounded adversary.
• The adversary simply does not have enough information to breakthe encryption.
Computational security
• Hold against computationally bounded adversary.
• Adversary can succeed with some very small probability.
CPSC 257 Cryptanalysis February 2, 2016 58 / 59
Security Notions
Symmetric Crypto
• Compared against known attacks or cryptanalytic approaches.
• Measured with respect to known metrics (avalanche effect).
Asymmetric Crypto
• Offers proofs of security.
• Based on computationally difficult problems.
CPSC 257 Cryptanalysis February 2, 2016 59 / 59