CS682– AdvancedSecurityTopics

Lecture1SymmetricEncryption

EliasAthanasopouloseliasathan@cs.ucy.ac.cy

CryptographyRoadmap

2

Cryptology

CryptographyCryptanalysis(Attacks)

SymmetricCiphers

AsymmetricCiphers

Utilities(HashFunctions,

MACs,etc.)

Apps/Protocols(TLS,ToR,etc.)

BasicProblem

3

InternetAlice Bob

Oscar

m m

m

Oscarcanseethemessage(confidentiality)Oscarcanmodifythemessage(integrity)

CryptographicApproach

4

InternetAlice Bob

Oscar

m m

c

Encryptc

Decryptc

K KSecureChannel

m:plaintextc:ciphertextk:key

CryptosystemEncryptionalgorithmDecryptionalgorithmKey(s)involvement

Kerchoff’s Principle

A cryptosystem shouldbesecureevenifeverythingaboutthesystem,exceptthe key,ispublicknowledge

5

SecurityviaObscurity

• Allcryptoalgorithmsareassumedtobeknown

• Securityisbasedon– Secrecyofthekey– Hardtoinfertheplaintextviatheciphertext

• Cryptanalysis– Infertheplaintextfromciphertext withoutknowingthekey

6

CryptographyRoadmap

7

Cryptology

CryptographyCryptanalysis(Attacks)

SymmetricCiphers

AsymmetricCiphers

Utilities(HashFunctions,

MACs,etc.)

Apps/Protocols(TLS,ToR,etc.)

DES

• DevelopedbyIBMbasedonthecipherLuciferunderinfluenceoftheNationalSecurityAgency(NSA),thedesigncriteriaforDEShavenotbeenpublished

• Mostpopularblockcipherformostofthelast30yearsandbyfarbeststudiedsymmetricalgorithm

• Nowadaysconsideredinsecureduetothesmallkeylengthof56bit– But:3DESyieldsverysecurecipher,stillwidelyusedtoday

• ReplacedbytheAdvancedEncryptionStandard(AES)in2000

8

DESFeistel Network

9

L0 (32bits) R0 (32bits)

L1 (32bits) R1 (32bits)

K (56bits)

K1 (48bits)f⊕

Li =Ri-1Ri =Li-1 ⊕ f(Ri-1,ki)

(keyscheduling)

AESHistory• TheneedforanewblockcipherannouncedbyNISTin

January,1997• 15candidatesalgorithmsacceptedinAugust,1998• 5finalistsannouncedinAugust,1999:

– Mars,IBMCorporation– RC6,RSALaboratories– Rijndael, J.Daemen &V.Rijmen– Serpent,EliBiham etal.– Twofish, B.Schneier etal.

• InOctober2000,Rijndael waschosenastheAES• AESwasformallyapprovedasaUSfederalstandardin

November20016/28

10

AESINTERNALS

11

High-levelViewofAES

12

1blockofplaintext(128bits)

1blockofciphertext (128bits)

key(128/192/256bits)AES

Keylength Rounds

128bits 10

192bits 12

256bits 14

Rijndael canworkwithblocksof128/192/256,howeverthestandard(AES)supportsonlyblocksof128bit

AES/128WorkFlow

13

plaintext

AddRoundKey

ciphertext

k0

k1 KeyScheduling(KeyExpansion)

SubBytesShiftRows

MixColumnsAddRoundKey

SubBytesShiftRows

MixColumnsAddRoundKey

SubBytesShiftRows

AddRoundKey

7rounds

k9

k10

KeyExpansion

k

For10 roundsthereare11 roundkeys

AESInternalState

14

Blockof128bitsor16bytes

S0 S4 S8 S12

S1 S5 S9 S13

S2 S6 S10 S14

S3 S7 S11 S15

AESKeyState

15

Keyof192bits

K0 K4 K8 K12 K16 K20

K1 K5 K9 K13 K17 K21

K2 K6 K10 K14 K18 K22

K3 K7 K11 K15 K19 K23

AddRoundKey

• FirstAddRoundKey appliesaXORoperationwiththekeyandtheAESstatebeforeanyroundtakesplace– Thisiscalledkeywhitening

• AlladditionalAddRoundKey applyaXORoperationwiththecurrentAESstate

16

SubBytes

• OneAESS-box• Takesonebyteasaninputandproducesonebyteasanoutput– Likealookuptable

• AllbytesoftheAESstate(S0,S1,…,S15)passthroughtheS-Box

17

SubBytes

18

S0 S1 ... S14 S15

S’0 S’1 ... S’14 S’15

S S S SS

AESS-box

19

00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f

00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76

10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0

20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15

30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75

40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84

50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf

60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8

70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2

80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73

90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db

a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79

b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08

c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a

d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e

e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df

f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Thecolumnisdeterminedbytheleastsignificant 4bits, andtherowisdetermined bytheotherhalf (0x9a becomes0xb8)

AESS-box

• ComparedtoDES,theS-boxinAEShasaveryspecificrational

• AssumingthateachbytefromtheAESstateisamemberoftheGF(28)– theS-boxcomputestheinverseelementandmultipliesitbyaconstantvalue

20

ShiftRows

21

S’0 S’4 S’8 S’12

S’1 S’5 S’9 S’13

S’2 S’6 S’10 S’14

S’3 S’7 S’11 S’15

S’0 S’4 S’8 S’12

S’5 S’9 S’13 S’1

S’10 S’14 S’2 S’6

S’15 S’3 S’7 S’11

MixColumns

• Appliesalineartransformationtoeachofthefourcolumnofthestate

• Cellswiththesamecolorareequallytransformed

• TransformationisinGF(28)• Achangeinasinglebyteaffectsseveralbytes

22

MixColumns Example

23

C0 C4 C8 C12

C5 C9 C13 C1

C10 C14 C2 C6

C15 C3 C7 C11

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

C0

C5

C10

C15

S’0

S’5

S’10

S’15

=

ThematrixisfixedAllelementsarefromGF(28)AlloperationsareintheGF(28)

AESDecryption

• AESisnotbasedonaFeistel network• Allstepsshouldbereversedindecryption• Allroundkeysshouldbegeneratedinadvanceandusedinthereverseorder

• Allstepscanarereversible,sincetheyinvolveparticularoperationsinGF(28)

24

AESSecurity

• Keyspaceistoolargeforbruteforce• Noanalyticalattackbetterthanbrute-force,sofar

• MemoryCorruptionandSideChannels– SeveralattackstargettheimplementationofAES– Forinstance,amaliciousprocesscanstealthekeyofabenignprocessbyjustinferringcomputation(moreonthatinthesoftwaresecuritypartofthecourse)

25

Resources

• Mandatoryread– Chapter4(freechapter),UnderstandingCryptography,http://www.crypto-textbook.com

• Agifthttp://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

26