Introduction to Cybersecurity Cryptography (Part 2)€¦ · However, there are predictions about the result. Attacks on OTP and Stream Ciphers OTP highly malleable, i.e., the messages

Introduction to CybersecurityCryptography (Part 2)

0

Prof. Dr. Michael Backes

Lecture Summary

Streamciphers

• Symmetric Encryption Schemes

• Attacker Goals

• OTP and Perfect Secrecy

• Pseudorandom Generators

Blockciphers

• Data Encryption Standard (DES)

• Feistel Networks

Attacks on Blockciphers

• Exhaustive Search

• Meet-in-the-Middle

• Sophisticated Attacks

1Foundations of Cybersecurity 2016

Recall: Ciphers


Alice: 𝑘 Bob: 𝑘

Symmetric encryption: Both Alice and Bob use the same key 𝑘

Enc𝑐 = 𝐸(𝑘,𝑚)

𝑚 𝑐

𝑘

Dec𝑚′ = 𝐷(𝑘, 𝑐)

𝑐 𝑚′

𝑘

Definition of Ciphers


Definition: Symmetric Encryption Scheme

A symmetric encryption scheme with key space [𝐾], message space ℳ and ciphertext space 𝐶 is a triple of algorithms (𝐾, 𝐸, 𝐷):

The randomized key generation algorithm 𝐾 takes no input and returns a key 𝑘 ∈ [𝐾].

The (often randomized) encryption algorithm 𝐸 takes a key 𝑘 ∈ [𝐾] and a message 𝑚 ∈ ℳ and returns a ciphertext 𝑐 ∈ 𝐶.

The deterministic decryption algorithm 𝐷 takes a key 𝑘 ∈ [𝐾] and a ciphertext 𝑐 ∈ 𝐶 and returns a plaintext 𝑚 ∈ ℳ or a distinguished error symbol.

Correctness:

The above algorithms have to satisfy the following property: For any key 𝑘 ∈ [𝐾], any message 𝑚 ∈ 𝑀 , and any 𝑐 ∈ [𝐸(𝑘,𝑚)], we have that 𝐷(𝑘, 𝑐) = 𝑚.

The One-Time-Pad

First “proven secure” cipher: One-time Pad

ℳ = 𝐶 = 𝐾 = 0,1 𝑛

Secret key 𝑘 ∈ 0,1 𝑛 = random bit string as long as the message


XOR

⊕0 1

0 0 1

1 1 0

(Vernam 1917, proven in 1949)

Encryption:𝐸 𝑘,𝑚 = 𝑘 ⊕𝑚

Decryption:𝐷 𝑘, 𝑐 = 𝑘 ⊕ 𝑐

The One-Time-Pad (continued)

To show that the one-time pad (OTP) is a symmetric encryption scheme, we must show that it satisfies correctness.

Very fast encryption and decryption

Problem: Key is as long as the message

Have to generate lots of randomness


Correctness:

For any key 𝑘 ∈ [𝐾], any message 𝑚 ∈ 𝑀 , and any 𝑐 ∈ [𝐸(𝑘,𝑚)], we have that 𝐷(𝑘, 𝑐) = 𝑚.

(proof on the board)

Security of Ciphers

So far only syntactic definition what a cipher is.

What does it mean for an encryption scheme to be secure?


Example: Syntactically correct encryption scheme𝐸 𝑘,𝑚 = 𝑚𝐷 𝑘, 𝑐 = 𝑐

Types of Adversary Success

1. Total break: find the key

2. Universal break: find equivalent method to being able to decrypt with key

3. Partial Break: Successfully decrypt only selected ciphertexts, but those completely

4. Partial Information: Successfully learn partial information about single plaintexts (individual bits, checksum, etc.)

1. , 2. and 3. clearly unacceptable

4. might seem strong, but on the safe side and what else to require?


Security of Ciphers (continued)

Information theoretic security

Basic Idea: Define that a ciphertext reveals “no” information about its plaintext


(Shannon, 1949)

Information theoretic security (informal):

An encryption scheme is information theoretically secure, if “no information” about its plaintext is revealed.

Intuition:

No information about the plaintext is revealed, if instead of this plaintext, it could have been any other plaintext.

“My secret is […]”

“Recipe for cake: […]”

010010100110

010010100110

Perfect Secrecy of Ciphers


Definition: Perfect Secrecy

Let (𝐾, 𝐸, 𝐷) be a symmetric encryption scheme with key space [𝐾], message space ℳ and ciphertext space 𝐶. The encryption scheme provides perfect secrecy if and only if the following holds for all 𝑚0, m1 ∈ ℳand for all 𝑐 ∈ 𝐶:

− The probability that 𝑐 is the output of 𝐸 𝑘,𝑚0 is equal to the probability that c is the output of 𝐸 𝑘,𝑚1 .(if we draw a key 𝑘 ← 𝐾 before encrypting)

Pr 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸 𝑘,𝑚0 = Pr[ 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸(𝑘,𝑚1)]



010010100110

010010100110

Encrypt with 𝑘 ← 𝐾

Encrypt with 𝑘 ← 𝐾same probability

Consequences of Perfect Secrecy


010010100110

Perfect secrecy ensures:

Given a ciphertext 𝑐, no adversary can tell if the ciphertext contains 𝑚0 or 𝑚1(for any 𝑚0 and 𝑚1).

Perfectly Secure:

No ciphertext-only attack possible!(but other attacks might be possible)



“In a hole in the ground […]”

Perfect Secrecy of the OTP


Lemma:The one-time pad has perfect secrecy


XOR

⊕0 1

0 0 1

1 1 0

Encryption:𝐸 𝑘,𝑚 = 𝑘 ⊕𝑚

Decryption:𝐷 𝑘, 𝑐 = 𝑘 ⊕ 𝑐

Perfect SecrecyPr 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸 𝑘,𝑚0

= Pr 𝑐 = 𝑐′: 𝑘 ← 𝐾, 𝑐′ ← 𝐸 𝑘,𝑚1

Reminder:

Reminder:

Bad News: OTP is optimal


Theorem: Optimality of the OTPLet (𝐾,𝐸,𝐷) be a cipher with message space ℳ, ciphertext space 𝐶, and key space [𝐾]. If the cipher provides perfect secrecy, then |[𝐾]| ≥ |ℳ|.


Bad News:

Thus perfect secrecy implies that (key length ≥ message length)

The keys are too longfor this to be practical

Stream Ciphers

The key for the one-time pad is a random string k ∈ 0,1 𝑛


Idea: Stream cipher

Replace “random” by “pseudorandom”

The secret key now is a “seed”.

seed

PRG(seed)

+ plaintext

ciphertext=

Idea: PRG

A pseudorandom generator (PRG) expands a small seed of random bits into a large amount of (somewhat) random bits

Stream Ciphers (continued)

Question: What sort of property do PRGs have to satisfy so that a stream cipher is “secure”?

PRG should be unpredictable:

Not only about hiding the seed, but not allowing to “look forward” which randomness will be created


Security of stream ciphers:

Is perfect secrecy possible?

Security of stream ciphers:

Perfect secrecy is impossible: 𝐾 < |ℳ|

The Security depends on the PRG.

010100010010 110010001011

Why Unpredictability of PRGs?

Often the prefix of a message is known, e.g., a fixed header of an email.

Lots of PRGs don’t satisfy this

Don’t use UNIX rand for security (/dev/rnd better)!


+ plaintext

ciphertext

=

Known header

PRG(seed)Known predicted

plaintext leak

Getting True Randomness

How to get (weak) randomness in practice:

- User throws coins,…

- User types, derived from load/system parameters, …

Stronger: Exploit different physical processes that are expected to be random (some provably random)

- Thermal noise, air perturbation,

Randomness from all inputs XORed and hashed to remove bias

Works well but too slow for some purposes

- For instance RG in INTEL designs 10Kbit/s

- Use true randomness as seed for PRG

Good PRGs also allow to add entropy (OpenSSL)


Attacks on OTP and Stream Ciphers

“Two-time” pad:

- c1 = E(k,m1) = km1

- c2 = E(k,m2) = km2

c1 c2 = m1 m2

Vulnerable to frequency analysis, etc.

Keys must only be used once!

Foundations of Cybersecurity 2016 17

How to Use a Stream Cipher (for more than one message)

Assume we already have a strong (but slow) cipher for encrypting small blocks and we have a PRG.

1. Pick a random seed.

2. Transfer it in a secure way.

3. Use the PRG to produce a pseudorandom stream.

4. Use the pseudorandom stream to encrypt messages.

𝐸 𝑘,𝑚 = 𝐸∗ 𝑘, 𝑠𝑒𝑒𝑑

Strong cipher

|| 𝑚⊕𝑃𝑅𝐺(𝑠𝑒𝑒𝑑)

Fast cipher


Example: Electronic Voting with OTPVotes van be either for party A (𝑚 = 0)or for party B 𝑚 = 1However, there are predictions about the result.

Attacks on OTP and Stream Ciphers

OTP highly malleable, i.e., the messages can be modified:


E D𝑚 𝑐 = 𝑚⊕ k 𝑚

𝑘 𝑘

𝑐 = 𝑚⊕ k 𝑐∗ = 𝑐 ⊕ 1

𝑐∗ ⊕𝑘= 𝑚⊕ 1

A B

Attack: XOR-ing the ciphertext with 1If the attacker intercepts the ciphertexts 𝑐and computes 𝑐∗ = 𝑐 ⊕ 1,he swaps the result of the voting!

A B

On Attacks Models (for ciphers) – Passive Attacks

Ciphertext-only attack:observation of ciphertext(s)(passive)

Known plaintext attack:observation of plaintext(s)(passive)


E Dm

K K

c m

E Dm

K K

c m

E Dm

K K

c m

E Dm

K K

c m

On Attacks Models (cont’d) – Active Attacks

Chosen plaintext attack:Plaintexts selectable(active)

Chosen ciphertext attack:Ciphertexts selectable(active)


Example PRG: RC4

seed

(key)

0 1 2 3

i j

52 11 21 93

Table S: 256 bytes

RC4: invented by Rivest in 1987

Starts with a seed, keeps a table S

S stores permutation of {0,…,255}

Initialization: Maps seed element of Perm({0,…,255})


RC4 Program and Initialization

RC4 Program:

- i = j = 0

- i = i + 1 (mod 256)

- j = i + S[i] (mod 256)

- Swap S[i] and S[j]

- t = S[i] + S[j] (mod 256)

- Output S[t]

Init (given key K):

- For (i=0, i++, i < 256)

- j = 0, S[i] = i

- For (i=0, i++, i < 256)

- j = j + S[i] + K[i mod keylen] (key could be short)

- Swap S[i] and S[j]


Attacks on RC4

Widely used: SSL, TLS, 802.11b WEP

Some successful (weak) attacks on RC4:

- Problems with Init: Second byte is twice as likely to be 0 as it should (2/256 instead of 1/256):

Drop first 256 bytes of output

- Statistical attacks: Probability of seeing (0,0) is 1/2562 + 1/2563 (i.e. biased by 1/2563)

After (2562)3 = 248 1016 bytes, one can distinguish RC4 output from random with probability > 99%.

RC4 not provably secure but works pretty well in practice (and used in lots of products such as web browsers)


Hardware PRG

K0 K1 K2 K3 K4

LFSR (Linear Feedback Shift Register)

Used in CSS, GSM, etc.

Standard solution for doing cheap hardware encryption (as a stream cipher)

Seed: initial value of the register

On their own not usable: first bits output are key bits


CSS

17-bit LFSR

25-bit LFSR

8

8

add mod

256

+

seed

1||K0K1

1||K2K3K4

Content Scrambling System (CSS)

Key = 40 bits = 5 bytes (K0K1K2K3K4)

Easy to break in time ca. 220 (240 with brute force)


Lecture Summary

Streamciphers


• Attacker Goals



Blockciphers








More than one Encryption: Block Ciphers


E

D

m

K

K

c:= E(K,m)

c m:= D(K,c)

Msg-block

Short, e.g.,128 bits

CT-block

Also 128 bits

CT-block Msg-block

Data Encryption standard (DES)

History:

1. 1967: Feistel at IBM: Luciferkey-len = 128 bits, msg-len = CT-len = 128 bits

2. 1972: National Bureau of Standards (NBS, now NIST) asked for federal encryption standard IBM developed DES

3. 1975: DES became the standard:key-len = 56 bits, msg-len = CT-len = 64 bits

4. DES (somewhat) vulnerably to brute-force today

- 3-DES; 56 bits 3*56 = 168 bits

- Successor of DES: Advanced Encryption Standard (AES):

• 1998: NIST: Competition for DES replacement

• 2000: Adopted Rijndael as AES


Intuition of DES

Basic Idea: Feistel Networks:

- Also used in IDEA, RC5, Skipjack, …

- AES does not use a Feistel Network!

Feistel Networks:𝑓1, … , 𝑓𝑑: 0,1

𝑛 → 0,1 𝑛

(for DES: 𝑛 = 32, 𝑑 = 16)


Feistel Networks


L0 R0

L1 R1

+ f1

n bits n bits

L2 R2

+ f2

Ld Rd

+ fd

Ld-1 Rd-1

...

Round 1

Plaintext

Feistel Networks


L0 R0

L1 R1

+ f1

n bits n bits

L2 R2

+ f2

Ld Rd

+ fd

Ld-1 Rd-1

...

Round 1

Round 2

Round d

Ciphertext

Plaintext

Intuition of DES

Basic Idea: Feistel Networks:

- Also used in IDEA, RC5, Skipjack, …

- AES does not use a Feistel Network!

Feistel Networks:𝑓1, … , 𝑓𝑑: 0,1

𝑛 → 0,1 𝑛

(for DES: 𝑛 = 32, 𝑑 = 16)

- (𝐿0, 𝑅0) in Partition (PT)

- For 𝑖 = 1 to 𝑑

• 𝐿𝑖 ← 𝑅𝑖−1

• 𝑅𝑖 ← 𝐿𝑖−1 ⊕ 𝑓𝑖(𝑅𝑖−1)


Feistel is one-to-one

Claim: For any functions 𝑓1, … , 𝑓𝑑, a Feistel network is a one-to-one map 𝐹: 0,1 2𝑛 → 0,1 2𝑛

Proof: Construct 𝐹−1 given CT ∈ 0,1 2𝑛, 𝐶𝑇 = 𝐿𝑑 , 𝑅𝑑


Feistel Networks


Ld Rd

+ fd

Ld-1 Rd-1

Round d

Ciphertext

Feistel is one-to-one

Claim: For any functions 𝑓1, … , 𝑓𝑑, a Feistel network is a one-to-one map 𝐹: 0,1 2𝑛 → 0,1 2𝑛

Proof: Construct 𝐹−1 given CT ∈ 0,1 2𝑛, 𝐶𝑇 = 𝐿𝑑 , 𝑅𝑑

In symbols:

- 𝑅𝑑−1 = 𝐿𝑑 𝐿𝑑−1 = 𝑅𝑑 ⊕ 𝑓𝑑 𝐿𝑑

- 𝑅𝑑−2 = 𝐿𝑑−1 𝐿𝑑−2 = 𝑅𝑑−1 ⊕𝑓𝑑−1 (𝐿𝑑−1)

- …

- 𝑅0 = 𝐿1 𝐿0 = 𝑅1 ⊕ 𝑓1(𝐿1)

Feistel Network inverts itself!

- Apply functions 𝑓𝑖 in reverse order, 𝑓𝑑 , 𝑓𝑑−1, 𝑓𝑑−2 …


Feistel “encryption” and “decryption”

Encryption by Feistel Network:

- 𝑓1, … , 𝑓𝑑: 0,1 32 → 0,1 32

- (𝐿0, 𝑅0) in Partition (PT)

- 𝐿1 = 𝑅0 𝑅1 = 𝐿0 ⊕𝑓1(𝑅0)

- 𝐿2 = 𝑅1 𝑅2 = 𝐿1 ⊕𝑓2(𝑅1)

- …

- 𝐿𝑑 = 𝑅𝑑−1 𝑅𝑑 = 𝐿𝑑−1 ⊕𝑓𝑑 (𝑅𝑑)

Decryption by backwards Feistel traversal:

- 𝑅𝑑−1 = 𝐿𝑑 𝐿𝑑−1 = 𝑅𝑑 ⊕𝑓𝑑(𝐿𝑑)

- 𝑅𝑑−2 = 𝐿𝑑−1 𝐿𝑑−2 = 𝑅𝑑−1 ⊕𝑓𝑑−1(𝐿𝑑−1)

- …

- 𝑅0 = 𝐿1 𝐿0 = 𝑅1 ⊕𝑓1(𝐿1)


Decrypting Feistel Networks


Rd Ld

Rd-1 Ld-1

+ fd

n bits n bits

Rd-2 Ld-2

+

R0 L0

+ f0

R1 L1

...

fd-1

L0 R0

L1 R1

+ f1

n bits n bits

L2 R2

+ f2

Ld Rd

+ fd

Ld-1 Rd-1

...

Encryption Decryption

DES

L0 R0

L1 R1

+ f1

L16 R16

+ fd

L15 R15

...

Plaintext

IP

IP-1

Ciphertext


InitialPermutation

16 Rounds FeistelNetwork

Inverse ofInitial Permutation

Feistel Functions in DES

𝑓𝑖 𝑅𝑖−1 : = 𝑓 𝑅𝑖−1, 𝐾𝑖 , 𝑅𝑖−1 ← 0,1 32

The keys 𝐾𝑖 (48 bits) are derived from 𝐾 (56 bits) by specified key schedule (bit-subset relation)

𝑓(𝑅𝑖−1, 𝐾𝑖): 𝑅𝑖−1 (32 𝑏𝑖𝑡𝑠), 𝐾𝑖 (48 𝑏𝑖𝑡𝑠)

- 𝑅𝑖−1 32 𝑏𝑖𝑡𝑠 → 𝑅𝑖−1’ (48 𝑏𝑖𝑡𝑠) (blowup by bit replication)

- 𝑓 𝑅𝑖−1, 𝐾𝑖 : = 𝑅𝑖−1’ 48 𝑏𝑖𝑡𝑠 ⊕ 𝐾𝑖 (48 𝑏𝑖𝑡𝑠)


Ri-1

Subkey Ki+

Expansion Permutation E

32

48

48

48

Feistel Functions in DES (cont’d)


Ri-1

Subkey Ki+

Expansion Permutation E

S1 S2 S3 S4 S5 S6 S7 S8

32

48

48

48

32

32

P-Box

Permutation P

S-Boxes


S-Boxes and P-Box


High-level Summary of DES


Initial permutation

Plaintext

64 bit Block

Ciphertext

64 bit Block

Output permutation

L-Block(32 bit)

R-Block(32 bit)

+

Expansion(48 bit)

Expansion(48 bit)

S1

+

S2 S3 S8

Key permutation

L-Block(32 bit)

R-Block(32 bit)

Key(56+8 bit)

Key choice(48 bit)

Lecture Summary

Streamciphers


• Attacker Goals



Blockciphers








Documents

Introduction to Cybersecurity Cryptography (Part 2)€¦ · However, there are predictions about the result. Attacks on OTP and Stream Ciphers OTP highly malleable, i.e., the messages