Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Introduction to CybersecurityCryptography (Part 2)
0
Prof. Dr. Michael Backes
Lecture Summary
Streamciphers
• Symmetric Encryption Schemes
• Attacker Goals
• OTP and Perfect Secrecy
• Pseudorandom Generators
Blockciphers
• Data Encryption Standard (DES)
• Feistel Networks
Attacks on Blockciphers
• Exhaustive Search
• Meet-in-the-Middle
• Sophisticated Attacks
1Foundations of Cybersecurity 2016
Recall: Ciphers
2Foundations of Cybersecurity 2016
Alice: 𝑘 Bob: 𝑘
Symmetric encryption: Both Alice and Bob use the same key 𝑘
Enc𝑐 = 𝐸(𝑘,𝑚)
𝑚 𝑐
𝑘
Dec𝑚′ = 𝐷(𝑘, 𝑐)
𝑐 𝑚′
𝑘
Definition of Ciphers
3Foundations of Cybersecurity 2016
Definition: Symmetric Encryption Scheme
A symmetric encryption scheme with key space [𝐾], message space ℳ and ciphertext space 𝐶 is a triple of algorithms (𝐾, 𝐸, 𝐷):
The randomized key generation algorithm 𝐾 takes no input and returns a key 𝑘 ∈ [𝐾].
The (often randomized) encryption algorithm 𝐸 takes a key 𝑘 ∈ [𝐾] and a message 𝑚 ∈ ℳ and returns a ciphertext 𝑐 ∈ 𝐶.
The deterministic decryption algorithm 𝐷 takes a key 𝑘 ∈ [𝐾] and a ciphertext 𝑐 ∈ 𝐶 and returns a plaintext 𝑚 ∈ ℳ or a distinguished error symbol.
Correctness:
The above algorithms have to satisfy the following property: For any key 𝑘 ∈ [𝐾], any message 𝑚 ∈ 𝑀 , and any 𝑐 ∈ [𝐸(𝑘,𝑚)], we have that 𝐷(𝑘, 𝑐) = 𝑚.
The One-Time-Pad
First “proven secure” cipher: One-time Pad
ℳ = 𝐶 = 𝐾 = 0,1 𝑛
Secret key 𝑘 ∈ 0,1 𝑛 = random bit string as long as the message
4Foundations of Cybersecurity 2016
XOR
⊕0 1
0 0 1
1 1 0
(Vernam 1917, proven in 1949)
Encryption:𝐸 𝑘,𝑚 = 𝑘 ⊕𝑚
Decryption:𝐷 𝑘, 𝑐 = 𝑘 ⊕ 𝑐
The One-Time-Pad (continued)
To show that the one-time pad (OTP) is a symmetric encryption scheme, we must show that it satisfies correctness.
Very fast encryption and decryption
Problem: Key is as long as the message
Have to generate lots of randomness
5Foundations of Cybersecurity 2016
Correctness:
For any key 𝑘 ∈ [𝐾], any message 𝑚 ∈ 𝑀 , and any 𝑐 ∈ [𝐸(𝑘,𝑚)], we have that 𝐷(𝑘, 𝑐) = 𝑚.
(proof on the board)
Security of Ciphers
So far only syntactic definition what a cipher is.
What does it mean for an encryption scheme to be secure?
6Foundations of Cybersecurity 2016
Example: Syntactically correct encryption scheme𝐸 𝑘,𝑚 = 𝑚𝐷 𝑘, 𝑐 = 𝑐
Types of Adversary Success
1. Total break: find the key
2. Universal break: find equivalent method to being able to decrypt with key
3. Partial Break: Successfully decrypt only selected ciphertexts, but those completely
4. Partial Information: Successfully learn partial information about single plaintexts (individual bits, checksum, etc.)
1. , 2. and 3. clearly unacceptable
4. might seem strong, but on the safe side and what else to require?
7Foundations of Cybersecurity 2016
Security of Ciphers (continued)
Information theoretic security
Basic Idea: Define that a ciphertext reveals “no” information about its plaintext
8Foundations of Cybersecurity 2016
(Shannon, 1949)
Information theoretic security (informal):
An encryption scheme is information theoretically secure, if “no information” about its plaintext is revealed.
Intuition:
No information about the plaintext is revealed, if instead of this plaintext, it could have been any other plaintext.
“My secret is […]”
“Recipe for cake: […]”
010010100110
010010100110
Perfect Secrecy of Ciphers
9Foundations of Cybersecurity 2016
Definition: Perfect Secrecy
Let (𝐾, 𝐸, 𝐷) be a symmetric encryption scheme with key space [𝐾], message space ℳ and ciphertext space 𝐶. The encryption scheme provides perfect secrecy if and only if the following holds for all 𝑚0, m1 ∈ ℳand for all 𝑐 ∈ 𝐶:
− The probability that 𝑐 is the output of 𝐸 𝑘,𝑚0 is equal to the probability that c is the output of 𝐸 𝑘,𝑚1 .(if we draw a key 𝑘 ← 𝐾 before encrypting)
Pr 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸 𝑘,𝑚0 = Pr[ 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸(𝑘,𝑚1)]
“My secret is […]”
“Recipe for cake: […]”
010010100110
010010100110
Encrypt with 𝑘 ← 𝐾
Encrypt with 𝑘 ← 𝐾same probability
Consequences of Perfect Secrecy
10Foundations of Cybersecurity 2016
010010100110
Perfect secrecy ensures:
Given a ciphertext 𝑐, no adversary can tell if the ciphertext contains 𝑚0 or 𝑚1(for any 𝑚0 and 𝑚1).
Perfectly Secure:
No ciphertext-only attack possible!(but other attacks might be possible)
“My secret is […]”
“Recipe for cake: […]”
“In a hole in the ground […]”
Perfect Secrecy of the OTP
11Foundations of Cybersecurity 2016
Lemma:The one-time pad has perfect secrecy
(proof on the board)
XOR
⊕0 1
0 0 1
1 1 0
Encryption:𝐸 𝑘,𝑚 = 𝑘 ⊕𝑚
Decryption:𝐷 𝑘, 𝑐 = 𝑘 ⊕ 𝑐
Perfect SecrecyPr 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸 𝑘,𝑚0
= Pr 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸 𝑘,𝑚1
Reminder:
Reminder:
Bad News: OTP is optimal
12Foundations of Cybersecurity 2016
Theorem: Optimality of the OTPLet (𝐾,𝐸,𝐷) be a cipher with message space ℳ, ciphertext space 𝐶, and key space [𝐾]. If the cipher provides perfect secrecy, then |[𝐾]| ≥ |ℳ|.
(proof on the board)
Bad News:
Thus perfect secrecy implies that (key length ≥ message length)
The keys are too longfor this to be practical
Stream Ciphers
The key for the one-time pad is a random string k ∈ 0,1 𝑛
13Foundations of Cybersecurity 2016
Idea: Stream cipher
Replace “random” by “pseudorandom”
The secret key now is a “seed”.
seed
PRG(seed)
+ plaintext
ciphertext=
Idea: PRG
A pseudorandom generator (PRG) expands a small seed of random bits into a large amount of (somewhat) random bits
Stream Ciphers (continued)
Question: What sort of property do PRGs have to satisfy so that a stream cipher is “secure”?
PRG should be unpredictable:
Not only about hiding the seed, but not allowing to “look forward” which randomness will be created
14Foundations of Cybersecurity 2016
Security of stream ciphers:
Is perfect secrecy possible?
Security of stream ciphers:
Perfect secrecy is impossible: 𝐾 < |ℳ|
The Security depends on the PRG.
010100010010 110010001011
Why Unpredictability of PRGs?
Often the prefix of a message is known, e.g., a fixed header of an email.
Lots of PRGs don’t satisfy this
Don’t use UNIX rand for security (/dev/rnd better)!
15Foundations of Cybersecurity 2016
+ plaintext
ciphertext
=
Known header
PRG(seed)Known predicted
plaintext leak
Getting True Randomness
How to get (weak) randomness in practice:
- User throws coins,…
- User types, derived from load/system parameters, …
Stronger: Exploit different physical processes that are expected to be random (some provably random)
- Thermal noise, air perturbation,
Randomness from all inputs XORed and hashed to remove bias
Works well but too slow for some purposes
- For instance RG in INTEL designs 10Kbit/s
- Use true randomness as seed for PRG
Good PRGs also allow to add entropy (OpenSSL)
16Foundations of Cybersecurity 2016
Attacks on OTP and Stream Ciphers
“Two-time” pad:
- c1 = E(k,m1) = km1
- c2 = E(k,m2) = km2
c1 c2 = m1 m2
Vulnerable to frequency analysis, etc.
Keys must only be used once!
Foundations of Cybersecurity 2016 17
How to Use a Stream Cipher (for more than one message)
Assume we already have a strong (but slow) cipher for encrypting small blocks and we have a PRG.
1. Pick a random seed.
2. Transfer it in a secure way.
3. Use the PRG to produce a pseudorandom stream.
4. Use the pseudorandom stream to encrypt messages.
𝐸 𝑘,𝑚 = 𝐸∗ 𝑘, 𝑠𝑒𝑒𝑑
Strong cipher
|| 𝑚⊕𝑃𝑅𝐺(𝑠𝑒𝑒𝑑)
Fast cipher
18Foundations of Cybersecurity 2016
Example: Electronic Voting with OTPVotes van be either for party A (𝑚 = 0)or for party B 𝑚 = 1However, there are predictions about the result.
Attacks on OTP and Stream Ciphers
OTP highly malleable, i.e., the messages can be modified:
19Foundations of Cybersecurity 2016
E D𝑚 𝑐 = 𝑚⊕ k 𝑚
𝑘 𝑘
𝑐 = 𝑚⊕ k 𝑐∗ = 𝑐 ⊕ 1
𝑐∗ ⊕𝑘= 𝑚⊕ 1
A B
Attack: XOR-ing the ciphertext with 1If the attacker intercepts the ciphertexts 𝑐and computes 𝑐∗ = 𝑐 ⊕ 1,he swaps the result of the voting!
A B
On Attacks Models (for ciphers) – Passive Attacks
Ciphertext-only attack:observation of ciphertext(s)(passive)
Known plaintext attack:observation of plaintext(s)(passive)
20Foundations of Cybersecurity 2016
E Dm
K K
c m
E Dm
K K
c m
E Dm
K K
c m
E Dm
K K
c m
On Attacks Models (cont’d) – Active Attacks
Chosen plaintext attack:Plaintexts selectable(active)
Chosen ciphertext attack:Ciphertexts selectable(active)
21Foundations of Cybersecurity 2016
Example PRG: RC4
seed
(key)
0 1 2 3
i j
52 11 21 93
Table S: 256 bytes
RC4: invented by Rivest in 1987
Starts with a seed, keeps a table S
S stores permutation of {0,…,255}
Initialization: Maps seed element of Perm({0,…,255})
Foundations of Cybersecurity 2016 22
RC4 Program and Initialization
RC4 Program:
- i = j = 0
- i = i + 1 (mod 256)
- j = i + S[i] (mod 256)
- Swap S[i] and S[j]
- t = S[i] + S[j] (mod 256)
- Output S[t]
Init (given key K):
- For (i=0, i++, i < 256)
- j = 0, S[i] = i
- For (i=0, i++, i < 256)
- j = j + S[i] + K[i mod keylen] (key could be short)
- Swap S[i] and S[j]
Foundations of Cybersecurity 2016 23
Attacks on RC4
Widely used: SSL, TLS, 802.11b WEP
Some successful (weak) attacks on RC4:
- Problems with Init: Second byte is twice as likely to be 0 as it should (2/256 instead of 1/256):
Drop first 256 bytes of output
- Statistical attacks: Probability of seeing (0,0) is 1/2562 + 1/2563 (i.e. biased by 1/2563)
After (2562)3 = 248 1016 bytes, one can distinguish RC4 output from random with probability > 99%.
RC4 not provably secure but works pretty well in practice (and used in lots of products such as web browsers)
Foundations of Cybersecurity 2016 24
Hardware PRG
K0 K1 K2 K3 K4
LFSR (Linear Feedback Shift Register)
Used in CSS, GSM, etc.
Standard solution for doing cheap hardware encryption (as a stream cipher)
Seed: initial value of the register
On their own not usable: first bits output are key bits
Foundations of Cybersecurity 2016 25
CSS
17-bit LFSR
25-bit LFSR
8
8
add mod
256
+
seed
1||K0K1
1||K2K3K4
Content Scrambling System (CSS)
Key = 40 bits = 5 bytes (K0K1K2K3K4)
Easy to break in time ca. 220 (240 with brute force)
Foundations of Cybersecurity 2016 26
Lecture Summary
Streamciphers
• Symmetric Encryption Schemes
• Attacker Goals
• OTP and Perfect Secrecy
• Pseudorandom Generators
Blockciphers
• Data Encryption Standard (DES)
• Feistel Networks
Attacks on Blockciphers
• Exhaustive Search
• Meet-in-the-Middle
• Sophisticated Attacks
27Foundations of Cybersecurity 2016
More than one Encryption: Block Ciphers
28Foundations of Cybersecurity 2016
E
D
m
K
K
c:= E(K,m)
c m:= D(K,c)
Msg-block
Short, e.g.,128 bits
CT-block
Also 128 bits
CT-block Msg-block
Data Encryption standard (DES)
History:
1. 1967: Feistel at IBM: Luciferkey-len = 128 bits, msg-len = CT-len = 128 bits
2. 1972: National Bureau of Standards (NBS, now NIST) asked for federal encryption standard IBM developed DES
3. 1975: DES became the standard:key-len = 56 bits, msg-len = CT-len = 64 bits
4. DES (somewhat) vulnerably to brute-force today
- 3-DES; 56 bits 3*56 = 168 bits
- Successor of DES: Advanced Encryption Standard (AES):
• 1998: NIST: Competition for DES replacement
• 2000: Adopted Rijndael as AES
Foundations of Cybersecurity 2016 29
Intuition of DES
Basic Idea: Feistel Networks:
- Also used in IDEA, RC5, Skipjack, …
- AES does not use a Feistel Network!
Feistel Networks:𝑓1, … , 𝑓𝑑: 0,1
𝑛 → 0,1 𝑛
(for DES: 𝑛 = 32, 𝑑 = 16)
30Foundations of Cybersecurity 2016
Feistel Networks
31Foundations of Cybersecurity 2016
L0 R0
L1 R1
+ f1
n bits n bits
L2 R2
+ f2
Ld Rd
+ fd
Ld-1 Rd-1
...
Round 1
Plaintext
Feistel Networks
32Foundations of Cybersecurity 2016
L0 R0
L1 R1
+ f1
n bits n bits
L2 R2
+ f2
Ld Rd
+ fd
Ld-1 Rd-1
...
Round 1
Round 2
Round d
Ciphertext
Plaintext
Intuition of DES
Basic Idea: Feistel Networks:
- Also used in IDEA, RC5, Skipjack, …
- AES does not use a Feistel Network!
Feistel Networks:𝑓1, … , 𝑓𝑑: 0,1
𝑛 → 0,1 𝑛
(for DES: 𝑛 = 32, 𝑑 = 16)
- (𝐿0, 𝑅0) in Partition (PT)
- For 𝑖 = 1 to 𝑑
• 𝐿𝑖 ← 𝑅𝑖−1
• 𝑅𝑖 ← 𝐿𝑖−1 ⊕ 𝑓𝑖(𝑅𝑖−1)
33Foundations of Cybersecurity 2016
Feistel is one-to-one
Claim: For any functions 𝑓1, … , 𝑓𝑑, a Feistel network is a one-to-one map 𝐹: 0,1 2𝑛 → 0,1 2𝑛
Proof: Construct 𝐹−1 given CT ∈ 0,1 2𝑛, 𝐶𝑇 = 𝐿𝑑 , 𝑅𝑑
34Foundations of Cybersecurity 2016
Feistel Networks
35Foundations of Cybersecurity 2016
Ld Rd
+ fd
Ld-1 Rd-1
Round d
Ciphertext
Feistel is one-to-one
Claim: For any functions 𝑓1, … , 𝑓𝑑, a Feistel network is a one-to-one map 𝐹: 0,1 2𝑛 → 0,1 2𝑛
Proof: Construct 𝐹−1 given CT ∈ 0,1 2𝑛, 𝐶𝑇 = 𝐿𝑑 , 𝑅𝑑
In symbols:
- 𝑅𝑑−1 = 𝐿𝑑 𝐿𝑑−1 = 𝑅𝑑 ⊕ 𝑓𝑑 𝐿𝑑
- 𝑅𝑑−2 = 𝐿𝑑−1 𝐿𝑑−2 = 𝑅𝑑−1 ⊕𝑓𝑑−1 (𝐿𝑑−1)
- …
- 𝑅0 = 𝐿1 𝐿0 = 𝑅1 ⊕ 𝑓1(𝐿1)
Feistel Network inverts itself!
- Apply functions 𝑓𝑖 in reverse order, 𝑓𝑑 , 𝑓𝑑−1, 𝑓𝑑−2 …
36Foundations of Cybersecurity 2016
Feistel “encryption” and “decryption”
Encryption by Feistel Network:
- 𝑓1, … , 𝑓𝑑: 0,1 32 → 0,1 32
- (𝐿0, 𝑅0) in Partition (PT)
- 𝐿1 = 𝑅0 𝑅1 = 𝐿0 ⊕𝑓1(𝑅0)
- 𝐿2 = 𝑅1 𝑅2 = 𝐿1 ⊕𝑓2(𝑅1)
- …
- 𝐿𝑑 = 𝑅𝑑−1 𝑅𝑑 = 𝐿𝑑−1 ⊕𝑓𝑑 (𝑅𝑑)
Decryption by backwards Feistel traversal:
- 𝑅𝑑−1 = 𝐿𝑑 𝐿𝑑−1 = 𝑅𝑑 ⊕𝑓𝑑(𝐿𝑑)
- 𝑅𝑑−2 = 𝐿𝑑−1 𝐿𝑑−2 = 𝑅𝑑−1 ⊕𝑓𝑑−1(𝐿𝑑−1)
- …
- 𝑅0 = 𝐿1 𝐿0 = 𝑅1 ⊕𝑓1(𝐿1)
37Foundations of Cybersecurity 2016
Decrypting Feistel Networks
38Foundations of Cybersecurity 2016
Rd Ld
Rd-1 Ld-1
+ fd
n bits n bits
Rd-2 Ld-2
+
R0 L0
+ f0
R1 L1
...
fd-1
L0 R0
L1 R1
+ f1
n bits n bits
L2 R2
+ f2
Ld Rd
+ fd
Ld-1 Rd-1
...
Encryption Decryption
DES
L0 R0
L1 R1
+ f1
L16 R16
+ fd
L15 R15
...
Plaintext
IP
IP-1
Ciphertext
39Foundations of Cybersecurity 2016
InitialPermutation
16 Rounds FeistelNetwork
Inverse ofInitial Permutation
Feistel Functions in DES
𝑓𝑖 𝑅𝑖−1 : = 𝑓 𝑅𝑖−1, 𝐾𝑖 , 𝑅𝑖−1 ← 0,1 32
The keys 𝐾𝑖 (48 bits) are derived from 𝐾 (56 bits) by specified key schedule (bit-subset relation)
𝑓(𝑅𝑖−1, 𝐾𝑖): 𝑅𝑖−1 (32 𝑏𝑖𝑡𝑠), 𝐾𝑖 (48 𝑏𝑖𝑡𝑠)
- 𝑅𝑖−1 32 𝑏𝑖𝑡𝑠 → 𝑅𝑖−1’ (48 𝑏𝑖𝑡𝑠) (blowup by bit replication)
- 𝑓 𝑅𝑖−1, 𝐾𝑖 : = 𝑅𝑖−1’ 48 𝑏𝑖𝑡𝑠 ⊕ 𝐾𝑖 (48 𝑏𝑖𝑡𝑠)
40Foundations of Cybersecurity 2016
Ri-1
Subkey Ki+
Expansion Permutation E
32
48
48
48
Feistel Functions in DES (cont’d)
41Foundations of Cybersecurity 2016
Ri-1
Subkey Ki+
Expansion Permutation E
S1 S2 S3 S4 S5 S6 S7 S8
32
48
48
48
32
32
P-Box
Permutation P
S-Boxes
42Foundations of Cybersecurity 2016
S-Boxes and P-Box
43Foundations of Cybersecurity 2016
High-level Summary of DES
44Foundations of Cybersecurity 2016
Initial permutation
Plaintext
64 bit Block
Ciphertext
64 bit Block
Output permutation
L-Block(32 bit)
R-Block(32 bit)
+
Expansion(48 bit)
Expansion(48 bit)
S1
+
S2 S3 S8
Key permutation
L-Block(32 bit)
R-Block(32 bit)
Key(56+8 bit)
Key choice(48 bit)
Lecture Summary
Streamciphers
• Symmetric Encryption Schemes
• Attacker Goals
• OTP and Perfect Secrecy
• Pseudorandom Generators
Blockciphers
• Data Encryption Standard (DES)
• Feistel Networks
Attacks on Blockciphers
• Exhaustive Search
• Meet-in-the-Middle
• Sophisticated Attacks
45Foundations of Cybersecurity 2016