Foundations of Network and Computer Security John Black Lecture 4 Sep 1st 2005 CSCI 6268 TLEN 5831 Fall 2005 Announcements Please sign up for class mailing list Office Hours on Weds now 2 30 3 20pm instead of at 4pm Quiz 1 will be on Thursday Sep 8th About 30 mins At end of class Office hours day before and morning of Covers all lecture materials and assigned readings DES Feistel Construction IP Initial permutation swaps bits around for hardware purposes Adds no cryptographic strength same for FP Each inner application of F and the XOR is called a round F is called the round function The cryptographic strength of DES lies in F DES uses 16 rounds One Round Each half is 32 bits Round key is 48 bits Is this a permutation as required How do we invert Note that F need not be invertible with the round key fixed Li Ri F Li 1 Ri 1 Key Why so many Rounds Can we just have one round of Feistel Clearly this is insecure How about two rounds Expect to be asked a related question on the first quiz DES has 16 rounds It s easily broken with 8 rounds using differential cryptanalysis The DES Round Function DES Round Function cont F takes two inputs 32 bit round value 48 bits of key taken from 56 bit DES key A different subset of 48 bits selected in each round E is the expansion box Turns each set of 4 bits into 6 by merely repeating some bits S boxes take 6 bits back to 4 bits Non linear functions and they are the cryptographic heart of DES S boxes were tweaked by NSA back in the 70 s It is believed that they IMPROVED DES by doing this Full Description of DES If you want all the gory details http en wikipedia org wiki DES Challenge Problem Alter the S boxes of DES any way you like so that with ONE plaintext ciphertext pair you can recover all 56 key bits Warning you need some linear algebra here So if not DES then what Double DES Let s write DES K P as DESK P Double DES DDES is a 64 bit blockcipher with a 112 bit key K K1 K2 and is DDESK P DESK2 DESK1 P We know 112 bits is out of exhaustive search range are we now secure Meet in the Middle Attack With enough memory DDES isn t much better than single DES Attack assume we have a handful of pt ct pairs P1 C1 P2 C2 Encipher P1 under all 256 possible keys and store the ciphertexts in a hash table Decipher C1 under all 256 possible keys and look for a match Any match gives a candidate 112 bit DDES key Use P2 C2 and more pairs to validate candidate DDES key until found Meet in the Middle cont Complexity 256 256 257 DES operations Not much better than the 255 expected DES operations for exhaustive search Memory requirements are quite high but there are techniques to reduce them at only a slightly higher cost End result no one uses DDES How about Triple DES Triple DES uses a 168 bit key K K1 K2 K3 TDESK P DESK3 DESK2 DESK1 P No known attacks against TDES Provides 112 bits of security against key search Widely used standardized etc More often used in two key triple DES mode with EDE format K is 112 bits like DDES TDESK P DESK1 DES 1K2 DESK1 P Why is the middle operation a decipherment AES The Advanced Encryption Standard If TDES is secure why do we need something else DES was slow DES times 3 is three times slower 64 bit blocksize could be bigger without adding much cost DES had other annoying weakness which were inherited by TDES We know a lot more about blockcipher design so time to make something really cool AES Competition NIST sponsored a competition Individuals and groups submitted entries Goals fast portable secure constrained environments elegant hardware friendly patentfree thoroughly analyzed etc Five finalists selected Aug 1999 Rijndael Belgium MARS IBM Serpent Israel TwoFish Counterpane RC6 RSA Inc Rijndael selected Dec 2001 Designed by two Belgians AES Rijndael Not a Feistel construction 128 bit blocksize 128 192 256 bit keysize SP network Series of invertible non linear substitutions and permutations Much faster than DES About 300 cycles on a Pentium III A somewhat risky choice for NIST Security of the AES Some close calls last year XL attack Can be represented as an overdetermined set of very sparse equations Computer methods of solving these systems would yield the key Turns out there are fewer equations than previously thought Seems like nothing to worry about yet Block Ciphers Conclusion There are a bunch out there besides AES and DES Some are pretty good IDEA TwoFish etc Some are pretty lousy LOKI FEAL TEA Magenta Bass O Matic If you try and design your own it will probably be really really bad Plenty of examples yet it still keeps happening Blockcipher Review DES Old 64 bit blocksize 56 bit keys Feistel construction Never broken except for exhaustive key search AES New 128 bit blocksize 128 256 bit keys Non Feistel Fast elegant so far so good Aren t We Done Blockciphers are only a start They take n bits to n bits under a k bit key Oftentimes we want to encrypt a message and the message might be less than or greater than n bits We need a mode of operation which encrypts any M 2 0 1 There are many but we focus on three ECB CBC CTR ECB Electronic Codebook This is the most natural way to encrypt It s what we used with the Substitution Cipher For blockcipher E under key K First pad if required to ensure M 2 0 1 n Write M M1 M2 Mm where each Mi has size n bits Then just encipher each chunk Ci EK Mi for all 1 i m Ciphertext is C C1 C2 Cm ECB cont What s bad about ECB Repeated plaintext blocks are evident in the ciphertext Called deterministic encryption and considered bad This was the feature of the Substitution Cipher that allowed us to do frequency analysis Not as bad when n is large but it s easy to fix so why not fix it Encrypting the same M twice will yield the same C Usually we d like to avoid this as well Goals of Encryption Cryptographers want to give up exactly two pieces of information when encrypting a message 1 That M exists 2 The approximate length of M The military sometimes does not even want to give up these two things Traffic analysis We definitely don t want to make it obvious when a message repeats CBC Mode Encryption Start with an n bit nonce called the IV Initialization Vector Usually a counter or a random string Blockcipher E under key K M broken into m blocks of n bits as usual C0 IV Ci EK Mi Ci 1 for all 1 i m M1 M2 Mm EK EK EK …