Upload
augustine-hoover
View
214
Download
1
Embed Size (px)
Citation preview
May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa
Implementing Implementing Advanced Advanced Cryptography - Suite-Cryptography - Suite-BB
Implementing Implementing Advanced Advanced Cryptography - Suite-Cryptography - Suite-BB
William Billings, CISSPWilliam Billings, CISSPChief Security AdvisorChief Security AdvisorMicrosoft US FederalMicrosoft US FederalMicrosoft CorporationMicrosoft Corporation
OverviewOverviewReview the current state of the cryptographic Review the current state of the cryptographic algorithmsalgorithms
The legacy algorithms: RSA, DES and the The legacy algorithms: RSA, DES and the hashing functionshashing functions
The most recent attacks against these The most recent attacks against these algorithms and possible implicationsalgorithms and possible implications
Projected performance – speed vs strength Projected performance – speed vs strength trade-offstrade-offs
Latest suite of commercial algorithms adopted Latest suite of commercial algorithms adopted within the US, NATO and Financial institutions: within the US, NATO and Financial institutions: Suite-BSuite-B
Elliptical Curve Cryptography Elliptical Curve Cryptography
AES symmetric key algorithmsAES symmetric key algorithms
SHA-2 hash algorithmsSHA-2 hash algorithms
The Problem of Aging The Problem of Aging AlgorithmsAlgorithms
40-bit cryptography used to be required for export control
Considered almost trivial to break
56-bit DES was broken several years agofor less than $300K
128-bit MD4 hash is the equivalent of a 64-bit symmetric key algorithm and has been broken with a paper-and-pencil attack128-bit MD5 has been broken by a Chinese team
The Problem of Aging The Problem of Aging AlgorithmsAlgorithms
80-bit crypto has a limited lifetime80-bit crypto has a limited lifetime
SHA-1 has only 2SHA-1 has only 280 80 strength, assuming strength, assuming the attacker can obtain 2the attacker can obtain 24040 cipher pairs cipher pairs
RSA-1024 is considered the equivalent RSA-1024 is considered the equivalent of 2of 28080 strength strength
The handwriting is on the wallThe handwriting is on the wall
NIST recommends phasing out 80-bit NIST recommends phasing out 80-bit crypto by 2010crypto by 2010
Agencies need to initiate policies and Agencies need to initiate policies and architectures now for eventual migration architectures now for eventual migration to stronger cryptographyto stronger cryptography
Stronger (but Slower) keys can be Stronger (but Slower) keys can be usedused
RSA-2048 is somewhat stronger than RSA-RSA-2048 is somewhat stronger than RSA-1024, but requires substantially more 1024, but requires substantially more processing powerprocessing power
RSA-2048 is equivalent to 112-bit symmetric RSA-2048 is equivalent to 112-bit symmetric key algorithmkey algorithm
SHA-1 still has only 2SHA-1 still has only 26969 strength, but very few strength, but very few applications support the new “SHA-2” applications support the new “SHA-2” algorithms yetalgorithms yet
Three-key triple DES has only 2Three-key triple DES has only 2112112 strength, strength, again due to time-memory tradeoffsagain due to time-memory tradeoffs
NIST recommends phasing out 112-bit NIST recommends phasing out 112-bit crypto by 2030crypto by 2030
Significantly stronger and faster Significantly stronger and faster alternatives are available today.alternatives are available today.
Is All This Strength Really Is All This Strength Really Necessary?Necessary?
““Prediction in very difficult, Prediction in very difficult, especially if it’s about the future.”especially if it’s about the future.”
Nils Bohr, Nobel laureate in PhysicsNils Bohr, Nobel laureate in Physics
Home Computer Prediction?Home Computer Prediction?
Is All This Strength Really Is All This Strength Really Necessary?Necessary?
Predictions of cryptographic strength Predictions of cryptographic strength are seldom too conservativeare seldom too conservative
When DES was first announced, IBM and When DES was first announced, IBM and NIST predicted that it would take NIST predicted that it would take centuries of computer power to break itcenturies of computer power to break it
Now it can be broken is less than a day, with Now it can be broken is less than a day, with only a modest investmentonly a modest investment
Similar claims were initially made about Similar claims were initially made about RSA-512RSA-512
The original Secure Hash Algorithm was The original Secure Hash Algorithm was designed by NSA lasted two years before designed by NSA lasted two years before it was replaced by SHA-1it was replaced by SHA-1
RSA: Key Length vs. RSA: Key Length vs. StrengthStrength
RSA is inefficient – it gains strength RSA is inefficient – it gains strength slowlyslowly
RSA-1024 is equivalent to an 80-bit RSA-1024 is equivalent to an 80-bit symmetric keysymmetric key
RSA-2048 is equivalent to a 112-bit key RSA-2048 is equivalent to a 112-bit key (3DES)(3DES)
RSA-3072 is equivalent to 128-bit key RSA-3072 is equivalent to 128-bit key (AES)(AES)
RSA-7680 is equivalent to an 192-bit AES RSA-7680 is equivalent to an 192-bit AES keykey
RSA-15,380 is required to equal an AES-RSA-15,380 is required to equal an AES-256 key!256 key!
Bad news for high strength keysBad news for high strength keys
But that’s not all – the performance is But that’s not all – the performance is terribleterrible
RSA Key Length vs. RSA Key Length vs. PerformancePerformance
The computation time required for larger The computation time required for larger keys increases rapidlykeys increases rapidly
The time required for signing is proportional to The time required for signing is proportional to the cube of the key lengththe cube of the key length
RSA-2048 operations require 8 times as long as RSA-2048 operations require 8 times as long as RSA-1024RSA-1024
Example – 60ms for RSA-1024 sign. 600 ms for RSA-Example – 60ms for RSA-1024 sign. 600 ms for RSA-20482048
RSA-15,360 would take 3375 times RSA-1024, or 200 RSA-15,360 would take 3375 times RSA-1024, or 200 seconds!seconds!
Fortunately, there is an alternative – the Fortunately, there is an alternative – the Suite-B algorithms.Suite-B algorithms.
Suite-BSuite-BPreviously, NIST’s open crypto algorithms used to Previously, NIST’s open crypto algorithms used to protect SBU data could not be used to protect protect SBU data could not be used to protect classified data.classified data.
That is no longer the case: a standardized, public That is no longer the case: a standardized, public set of algorithms that can be used to protect both set of algorithms that can be used to protect both unclassified and classified information.unclassified and classified information.
The result is Suite-B, a selected subset of the NIST The result is Suite-B, a selected subset of the NIST toolkit for classified applications up through Top toolkit for classified applications up through Top SecretSecret
Specific approval is still required for the Specific approval is still required for the implementationsimplementations and systems that are used to and systems that are used to protect classified information protect classified information
Expect more guidance on acceptable key managementExpect more guidance on acceptable key managementShould be consistent with SP 800-57Should be consistent with SP 800-57
Suite-B - BackgroundSuite-B - BackgroundUS Government, NATO and some in the US Government, NATO and some in the Financial sector are adopting the Suite-B Financial sector are adopting the Suite-B algorithms for use in multinational algorithms for use in multinational information sharing environments.information sharing environments.
Although approved for classified data, the Although approved for classified data, the algorithms themselves are unclassified and algorithms themselves are unclassified and approved for worldwide useapproved for worldwide use
There are three components:There are three components:Elliptical Curve Cryptography (ECC)Elliptical Curve Cryptography (ECC)
The Advances Encryption Standard (AES)The Advances Encryption Standard (AES)
SHA-2 hash algorithmsSHA-2 hash algorithms
EllipticalElliptical Curve Curve CryptographyCryptography
ECC was invented by Neil Koblitz and Victor Miller in 1985, eight years after the RSA algorithm
ECC has been studied extensively for 20+ years and is well recognized and accepted world-wide for its strong number-theoretic foundation.ECC has been standardized internationally by ISO and the IETF and within the US by ANSI and NIST
Elliptical Curve Elliptical Curve CryptographyCryptography
An elliptical curve is NOT an ellipse!An elliptical curve is NOT an ellipse!
Elliptical Curve Elliptical Curve CryptographyCryptography
NIST has defined several sets of curves, NIST has defined several sets of curves, the most important of which are generated the most important of which are generated by the equations of the formby the equations of the form
YY22 = x = x33-3x + b modulo p-3x + b modulo p
Three curves in Three curves in GF(p)GF(p) are particularly are particularly important:important:
P-256, with a 256-bit key, equivalent to AES-P-256, with a 256-bit key, equivalent to AES-128128
P-384, with a 384-bit key, equivalent to AES-P-384, with a 384-bit key, equivalent to AES-192192
P-521, with a 521-bit key, equivalent to AES-P-521, with a 521-bit key, equivalent to AES-256256
These three curves and key sizes form the These three curves and key sizes form the heart of Suite-B algorithmsheart of Suite-B algorithms
ECC PerformanceECC PerformanceElliptical Curve Cryptography is much Elliptical Curve Cryptography is much stronger per bit than RSA and is less stronger per bit than RSA and is less computationally intensivecomputationally intensive
P-256 is equivalent to RSA-3,072P-256 is equivalent to RSA-3,072
P-384 is equivalent to RSA-7,680P-384 is equivalent to RSA-7,680
P-521 is equivalent to RSA-15,380P-521 is equivalent to RSA-15,380
The performance of ECC is also The performance of ECC is also proportional to the cube of the key size, proportional to the cube of the key size, but the keys are much smaller and more but the keys are much smaller and more efficient in strengthefficient in strength
P-256 is faster than RSA-2048 and much faster P-256 is faster than RSA-2048 and much faster than RSA-3062. After that, there is no contest!than RSA-3062. After that, there is no contest!
ECC AlgorithmsECC AlgorithmsECDSA is the elliptic curve equivalent ECDSA is the elliptic curve equivalent of the DSA signature algorithms and of the DSA signature algorithms and is standardized in FIPS 186-2is standardized in FIPS 186-2EC Diffie-Hellman is a key EC Diffie-Hellman is a key establishment algorithm with five establishment algorithm with five different variationsdifferent variationsECMQV is another, stronger, key ECMQV is another, stronger, key establishment algorithm that is establishment algorithm that is patented by Certicompatented by CerticomECIES is an ECC encryption algorithm ECIES is an ECC encryption algorithm that is standardized by ISO, but has that is standardized by ISO, but has been rejected by NIST.been rejected by NIST.
AES and SHA-2AES and SHA-2The Advanced Encryption Standard The Advanced Encryption Standard (AES) was selected by NIST after an (AES) was selected by NIST after an extensive competition and trialsextensive competition and trials
Initially called Rijndahl, it was developed Initially called Rijndahl, it was developed by two Belgian cryptographers, Joan by two Belgian cryptographers, Joan Daemen and Vincent RijmenDaemen and Vincent RijmenAES-128 is significantly faster and AES-128 is significantly faster and stronger then triple-DES and AES-256 is stronger then triple-DES and AES-256 is only slightly sloweronly slightly slowerAES-256 is rapidly becoming the AES-256 is rapidly becoming the de de factofacto standard standard
The SHA-224/256/384/512 hash The SHA-224/256/384/512 hash functions are significantly stronger functions are significantly stronger than SHA-1, although somewhat than SHA-1, although somewhat slowerslower
ECC, AES and SHA-2ECC, AES and SHA-2Suite-B adoption timelines (US):Suite-B adoption timelines (US):
AES was approved in 2001AES was approved in 2001
ECDSA with recommended curves ECDSA with recommended curves was approved in 2001was approved in 2001
SHA-224/256/384/512 was SHA-224/256/384/512 was approved in 2002approved in 2002
NIST’s SP 800-56A, March 2003NIST’s SP 800-56A, March 2003
NSA announced the term Suite-B at NSA announced the term Suite-B at RSA Conference 2005RSA Conference 2005
Why AES 256 with ECC 384 in Why AES 256 with ECC 384 in Suite-B?Suite-B?
TheoreticallyTheoreticallyAES 256 is equivalent to ECC 512AES 256 is equivalent to ECC 512
AES 192 is equivalent to ECC 384AES 192 is equivalent to ECC 384
AES 256 with ECC 384 seems a mismatchAES 256 with ECC 384 seems a mismatchBut there is very little performance penalty for But there is very little performance penalty for AES 256AES 256
About a 20% differenceAbout a 20% difference
A lot of people are choosing to use AES 256A lot of people are choosing to use AES 256
There is a significant performance cost going to There is a significant performance cost going to ECC 512 and ECC 384 is strong enough for Top ECC 512 and ECC 384 is strong enough for Top SecretSecret
Make life simple: use ECC 384, which is fast Make life simple: use ECC 384, which is fast and strong enough, with AES 256 which is and strong enough, with AES 256 which is strong and fast enough.strong and fast enough.
Suite-B: The algorithmsSuite-B: The algorithmsEncryption Algorithm AES (FIPS 197)Encryption Algorithm AES (FIPS 197)
AES-128 up to SECRETAES-128 up to SECRETAES-256 up to TOP SECRETAES-256 up to TOP SECRET
Digital Signature (FIPS 186-3)Digital Signature (FIPS 186-3)ECDSA with 256-bit prime modulus up to SECRETECDSA with 256-bit prime modulus up to SECRETECDSA with 384-bit prime modulus up to TOP SECRETECDSA with 384-bit prime modulus up to TOP SECRET
Key Agreement (NIST SP 800-56A)Key Agreement (NIST SP 800-56A)EC Diffie-Hellman or EC MQV with 256-bit prime mod. up EC Diffie-Hellman or EC MQV with 256-bit prime mod. up to SECRETto SECRETEC Diffie-Hellman or EC MQV with 384-bit prime modulus EC Diffie-Hellman or EC MQV with 384-bit prime modulus up to TOP SECRET up to TOP SECRET
Hash Functions (FIPS 180-2)Hash Functions (FIPS 180-2)SHA-256 up to SECRETSHA-256 up to SECRETSHA-384 up to TOP SECRETSHA-384 up to TOP SECRET
Suite-B: Bottom LineSuite-B: Bottom LineThere are requirements to do both classified and There are requirements to do both classified and unclassified applicationsunclassified applications
National security apps. need to use ordinary National security apps. need to use ordinary commercial softwarecommercial software
No fundamental difference between algorithms for No fundamental difference between algorithms for SBU & classifiedSBU & classified
In the US there is cooperation between Civilian In the US there is cooperation between Civilian government and DoD: cryptography for both SBU and government and DoD: cryptography for both SBU and classifiedclassified
NSA approval of implementations required for NSA approval of implementations required for classifiedclassified
Expect NSA-managed keying material for classified apps.Expect NSA-managed keying material for classified apps.
Unclassified users must have CMVP validated crypto Unclassified users must have CMVP validated crypto modulesmodules
More choices of algorithms including the ones in Suite-BMore choices of algorithms including the ones in Suite-B
Users typically generate their own keys Users typically generate their own keys
Nobody looses; some of us gain Nobody looses; some of us gain
Microsoft’s Microsoft’s ImplementationImplementation
We began a Corporate-wide investment in We began a Corporate-wide investment in Cryptographic Modernization in 2005Cryptographic Modernization in 2005
We had been watching ECC technology for a We had been watching ECC technology for a number of years, waiting for consensus as to fields, number of years, waiting for consensus as to fields, curves and key lengthscurves and key lengthsWhen NSA announced Suite-B we decided the time When NSA announced Suite-B we decided the time was right for implementation.was right for implementation.
We have implemented the Suite-B algorithms We have implemented the Suite-B algorithms in Vista Client and Longhorn Server. There are in Vista Client and Longhorn Server. There are some plans for down-level implementation in some plans for down-level implementation in XP/Server 2003.XP/Server 2003.For all internal implementations Microsoft will not use weaker algorithms than Suite-B
But, of course, will support your choice of crypto algorithms
Vista Suite-B SpecificsVista Suite-B Specifics
Encryption: AESFIPS 197 (with keys sizes of 128 and 256 bits)
Digital Signature: Elliptic Curve Digital Signature Algorithm
FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)
Key Exchange: Elliptic Curve Diffie-Hellman or Elliptic Curve MQV
Draft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli)
Hashing: Secure Hash AlgorithmFIPS 180-2 (using SHA-256 and SHA-384)
Crypto Next GenerationCrypto Next GenerationNew crypto infrastructure to replace existing CAPI 1.0 APIs
CAPI will still be available in Vista but it will be deprecated in some future version
Customers can plug a new crypto algorithm into Windows or replace the implementation of an existing algorithm
New crypto algorithms can be plugged into OS protocols (e.g. SSL, S/MIME)
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.