Você está na página 1de 62

Network Security

Lecture #3
ENPM 693
Fall 2014
University of Maryland, College Park

Todays Lecture
Where weve been?

A high level survey of cryptography


Symmetric-key vs. asymmetric-key cryptography
Adversary models
Hash functions
Definition of security of crypto alg.

Where were going today?

PRNGs
Attack models on crypto
One-time pad
Cryptosystem - Symmetric-key cryptography: Block cipher & Stream cipher
Block cipher as a symmetric cryptography DES, AES, 3DES
Modes of operation - ECE, CBC, CFB, OFB, CTR
Stream cipher RC4

Where were heading next?


Message integrity MAC,
Asymmetric cryptography DH, RSA

PRNGs
A pseudo-random number generator (PRNG) is a deterministic
function that takes as input a seed and outputs a string
To be useful, the output must be longer than the seed

If seed chosen at random, output of the PRNG should look random


(i.e., be pseudo-random) to any efficient distinguishing algorithm
Even when the algorithm knows G! (Kerchoffss rule)

Notes
Required notion of pseudo-randomness is very strong
must be indistinguishable from random for all efficient algorithms
General-purpose PRNGs (rand( ), java.random) not sufficient for crypto

Pseudo-randomness of the PRNG depends on the seed being chosen


at random
True randomness very difficult to obtain
In practice: randomness from physical processes and/or user behavior

PRGs: a picture
y

y{0,1}l chosen uniformly


at random

??

World 0

World 1
x {0,1}n chosen uniformly
at random

(poly-time)

G(x)

Far from identical,


but adv. cant tell them apart

Attack taxonomy
So far, we have been considering only passive eavesdropping of a single
ciphertext
a.k.a., ciphertext-only attack (COA)

In practice, stronger attacks need to be considered


Known-Plaintext Attacks (KPA)
Chosen-Plaintext Attacks (CPA-security)
Implies security for multiple messages encrypted using the same key
Chosen-Ciphertext Attacks (CCA by default, encompasses CPA)

Notes
What is the right threat model?

Multiple messages or a single message?


Passive/active adversary?
Ciphertext-only (COA),
Known-Plaintext (KPA),
Chosen-Plaintext (CPA),
Chosen-Ciphertext (CCA),

The threat model matters!


The classical encryption schemes we have seen are immediately broken by a knownplaintext attack (KPA)

Definitions?
c = Enck(m)

k
c

Ciphertext-only attack (COA)


Known/chosen-plaintext attack (KPA/CPA)
Chosen-ciphertext attack (CCA)

I know the message m


is either m0 or m1,
but which one?

Chosen-plaintext security (CPA)


Voters

Is the definition too strong?


Voting example:

Midway example

Chosen-plaintext security
Is security against chosen-plaintext attacks (CPA) even possible??
Deterministic encryption schemes cannot be secure against chosenplaintext attacks (CPA)
Nor can they be secure for encrypting multiple messages

To be secure against chosen-plaintext attack (CPA), encryption must


be randomized
Moral: always use randomized encryption!

Minimum requirements
The minimum level of security nowadays is security against chosenplaintext attacks (CPA)
Implies security when multiple messages encrypted

Security against chosen-ciphertext attacks CCA (or even stronger) is


often necessary
Make sure you are aware of this when deploying encryption!

We will revisit this issue after discussing message authentication

Ciphers
Symmetric-key crypto
One time pad (OTP) with keys as long as plaintext
Require pre-sharing huge random keys, but guarantees theoretically secure (perfect secrecy)

Block cipher reuse of single key with limited size


DES, 3DES, AES

Stream cipher Basically PRNGs


RC4, A5/1

Asymmetric-key crypto
DH, RSA

One-Time Pad: OTP (Vernam Cipher)

Advantages of OTP
Easy to compute
Encryption and decryption are the same operation
Bitwise XOR is very cheap to compute

As secure as theoretically possible


Given a ciphertext, all plaintexts are equally likely, regardless of attackers
computational resources
if and only if the key sequence is truly random
True randomness is expensive to obtain in large quantities

if and only if each key is as long as the plaintext


But how do the sender and receiver communicate the key to each other?
Where do they store the key?

Problems with OTP


Key must be as long as the plaintext
Impractical in most realistic scenarios
Still used for diplomatic and intelligence traffic

Does not guarantee integrity


One-time pad only guarantees confidentiality
Attacker cannot recover plaintext, but can easily change it to something else

Insecure if keys are reused


Attacker can obtain XOR of plaintexts

No integrity

Dangers if reuse

Cryptosystem
Binary alphabets
K = {0,1}
Plaintext
P = {0,1}
P

= {0,1} ,
E: P
C as ciphertext to look random
D: C
P as plaintext to be protected
,
, , = correctness
It is infeasible to find F: key secrecy

Ciphertext
C

Ciphers Symmetric-key crypto


Block cipher
Operates on a single chunk (blocks: fixed-length set of bits) of plaintext
Same key is reused for each block (can use short keys)
Result should look like a random permutation
Not impossible to break, just very expensive
If there is no more efficient algorithm (unproven assumption!), can only break
the cipher by brute-force , try-every-possible-key search
Time and cost of breaking the cipher exceed the value and/or useful lifetime of
protected information

Output blocksize generally same as input blocksize


DES (56-bit keys, 64-bit blocksize)
AES (128/192/256-bit keys, 128-bit blocksize)

Standardized Ciphers
Until 1970s, most strong ciphers were government secrets
NBS (now called NIST) issued a public call for a cipher; eventually
responded by IBM
Eventual result was DES
64-bit blocks (56-bit key + 8 bits for parity)
Outdated, but still in use (especially as 3DES)
3DES: DES + inverse DES + DES (with 2 or 3 different keys)

Block Ciphers I
Block ciphers Operates on a fixed-length set of bits (blocks)
Block ciphers vs. stream ciphers

Output block size generally same as input


Well-known examples:
DES (56-bit keys; 64-bit block size)
AES (128-, 192-, 256- bit keys; 128-bit block size)

Basic structure:
Optional key scheduling, convert supplied key to internal form
Multiple round of combining plaintext with key
DES with 16 rounds, AES with 10-14 round depending on key length

Block Ciphers II
Shared keyed, invertible permutation F
F is a deterministic function

Large key space, large block length


Indistinguishable from a random permutation
A block cipher is not an encryption scheme
A block cipher can be used to build an encryption scheme (and other things as well)

Example the trivial encryption scheme:


C = FK(m)
This is not randomized

Encryption from Block Ciphers


E(m,k) = < r , Fk(r) m >, for random r
Randomized!

Theorem: If F is a secure block cipher, this is CPA-secure


Notation:

=
=

=
=

( )

Data Encryption Standard (DES)


Developed in 1970s by IBM / NSA / NBS
Non-public design process

56-bit key, 64-bit block length


A 64-bit key is derived from 56 random bits
One bit in each octet is a parity-check bit

The short key length is a major concern


The short block length is also a concern

How DES Works


On each round (iteration):
16 iterations total per each operation

Divide the input block in half. The right half of each round becomes the left half
of the next rounds input
Take the right half, pass it through a non-linear function of data and key, and
exclusive-OR the result with the current inputs left half
The output of that function becomes the right half of the next rounds input
This is known as a Feistel network

#$

DES Round Structure " round (0 " 15)


E expansion phase
32 bit -> 48 bit w/ expansion permutation
duplicating half of the bits 8 of 6-bit
each 6-bit: 4 bit input, 2 bit copy on each end
XOR key mixing
key schedule provide 16 subkeys of 48-bit
from main key
S-box substitution phase
divided into 8 of 6-bit and fed to S-boxes
replacing 6-bit w/ 4-bit using non-linear
transformation by a lookup table
P-box permutation phase
rearranging 32-bits w/ fixed permutation
spreading S-boxes output bits across 4 diff ones

DES Mangler Function

Substitution and permutation alternation as confusion and diffusion principle


as necessary condition for a secure yet practical cipher

Key scheduler:
Left rotation by 1 or 2 bit
Permuted Choice (PC) boxes
64 bit -> 56 bit = 28 bit x2
28 bit -> 24 bit x2 = 48 bit
In decryption subkeys in reverse order

Decryption
Run the rounds backwards
In the example, )*+ is passed
unchanged to the previous round (as ,* )
Accordingly, it can be fed into - *
i-th Feistel network to be XORed with
,*+ to produce )*

Whats wrong with DES?


Key length is too short
A machine to crack DES was built in 1998 for $250K, breaking DES in days
Computation can be distributed to make it faster
Does not mean DES is insecure; depends on desired security

Charges that NSA could crack DES were leveled in 1979


Non-public design process back door suspicions
Claimed regarding (theoretical) attacks known to DES designers 15 years before public discovery!

Short block size

Repeated blocks happen too frequently (2/0 122"3"4"5" 2)

Algorithm depends on bit-manipulation, which is too slow in software (execution time)

3DES/triple-DES
Expands the key length

Now, key K = (K1, K2); |K| = 112


Stronger than simple DES twice
Protected against MITM attack
If indep , 6 , 7 then strongest scheme

Still has the short block length


The new block cipher is just:
EK1, K2(m) = DESK1(DES-1K2(DESK1(m)))

This is a permutation, and invertible


Fairly slow but widely used in practice
Backward compatibility

Images from Wikipedia

Advanced Encryption Standard (AES)


NIST issued an open call for submissions in 97

15 ciphers were submitted, from all over the world


Several open conferences were held (and NSA did its own private evaluations)
5 ciphers were eliminated as not secure enough
5 more dropped for inefficiency or low security margins

Of the 5 finalist, Rijndael (a Belgian submission) was chosen for its good security and very high
efficiency across a wide range of platforms
Supports 128/192/256-bit keys (default is 128-bit keys) and 128-bit block length
2128 is a huge number (estimated number of nanoseconds since big bang ~ 290 )

No compelling reason to use anything but AES


In particular, AES (possibly in stream cipher mode) is usually a better choice than a dedicated
stream cipher
NSA rates 128-bits AES as good enough for SECRET traffic, 256-bit AES is good enough for TOP
SECRET traffic

How Does Rijndael Work? I


Substitution-permutation based scheme

10/12/14 rounds (iterations)


Input block viewed as a byte array
Operate on 4x4 column-major order matrix of bytes (state) (16 x 8 = 128)
Subkeys for each round derived from Rijndael key schedule (KeyExpansion)
Subkey viewed as a 2-D matrix

The subkey is mixed with the state (entire block) in each round

The basic operations are individually reasonably tractable mathematically, but


are combined in a hard-to-invert fashion

How Does Rijndael Work? II


Each round consists of a series of simple, byte-oriented operations:
Initial round (1): AddRoundKey each state byte XOR w/ round key
Intermediate rounds (2 9/11/13):
ByteSubstitution nonlinear substitution of each byte using a lookup table (S-box)
ShiftRow transposition by cyclically L-shift each state row w/ a certain number (depending on row #,
except first row)
MixColumn mixing state columns by combining four bytes in each column using invertible linear
transformation
AddRoundKey

Last round (10/12/14): same as above except MixColumn step

Modes of Operation Encrypting Large Message


Direct use of a block cipher is inadvisable
Enemy can build up code book of plaintext/ciphertext equivalents a.k.a. dictionary

Direct use also only works on messages that are a multiple of the cipher block
size in length
Solution: five standard modes of operations
Used for encrypting a long message m = m1, , mn

Electronic Code Book (ECB)


Cipher Block Chaining (CBC)
Cipher FeedBack (CFB)
Output FeedBack (OFB)
and CounTeR (CTR)

Electronic Code Book - ECB


Direct use of the block cipher
split plaintext into blocks
encrypt each one separately using block ciphers

Ci = FK(mi); the ciphertext is C = (C1, , Cn)


Used primarily to transmit encrypted keys

Very weak if used for general-purpose encryption, never use for a file or a message
Dictionary attack

Notation:

denotes encryption of plaintext P with key k to produce ciphertext C

denotes decryption of ciphertext C with key k to produce plaintext P


Using * and 8* interchangeably to refer to the " #$ block of plaintext

Electronic Code Book - ECB


Not even secure against
ciphertext-only attacks

Images from Wikipedia

Padding, same key usage


Same plaintext blocks w/ same
ciphertext blocks (inf. leakage)

original

encrypted using ECB mode

Cipher Block Chaining - CBC


Ciphertext of each encrypted
block depends on plaintext of
all preceding blocks
Initial Vector (IV) as dummy
initial ciphertext block 9 , which
the receiver (decipher) must know
Consider a 4-block message:
=
7 =

;<
7 6

6
0

=
=

0 7

If 6 is damaged during transmission,


IV ; Ci = FK(mi Ci-1) ; the ciphertext is (IV, C1, , Cn)
what happens to the plaintext? Next slide!

CBC Encryption & Decryption

Error Propagation in CBC Mode


Look at the decryption process, where = is a garbled version of C:
=
7 =

depends only on

;<
=?

depends on

=
=

6
0

and IV, and is unaffected


, and hence is garbled

and

on

and

6,

and is also garbled. The enemy can control the change to

depends on

and

7,

and not

7 depends
7.
0

6;

thus it isnt affected

Conclusion: Two blocks change, one of them predictably

Cutting and Pasting CBC Messages


Consider the encrypted message
C:

;<,

6, 7, 0, @

The shortened message ;<,


The truncated message
Even

6, 7, 0

6, 7, 0

6, 7, 0, @

appears valid

is valid,

acts as the ;<

is valid, and will decrypt properly

Any subset of a CBC message will decrypt cleanly


If we snip out blocks, leaving ;<,

0, @,

we only garble one extra block of plaintext

Conclusion: if you want message integrity, you have to do it yourself (not guaranteed here)

bit Cipher FeedBack - CFB

Properties of CFB Mode


Underlying block cipher used only in encryption mode
(both in encryption and decryption phase)

Feedback path actually incorporates a shift register


some of the previous cycles ciphertext can be retained

8-bit CFB is good for asynchronous terminal traffic


Errors propagate while bad data is in shift register
17 bytes for -AB when using AES

Copes gracefully with deletion of

bit unit

bit Output FeedBack - OFB


IV; zi = FK(zi-1); Ci = zi mi
Ciphertext is (IV, C1, , Cn)

Properties of OFB
No error propagation
Active attacker can make controlled changes to plaintext
OFB is a form of stream cipher

Properties of Counter Mode - CTR


Another form of stream cipher
IV; zi = FK(IV+i); Ci = zi mi; the ciphertext is (IV, C1, .., Cn)
Frequently split the counter into two sections:
Message number & block number within the message

Active attacker can make controlled changes to plaintext


Highly parallelizable; no linkage between stages
Vital that counter never repeat for any given key

Which Mode for What Task?


CBC, OFB, and CTR modes are secure against chosen-plaintext attacks (CPA)
CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks (CCA)
General file or packet encryption: CBC
Input must be padded to multiple of cipher block size

Risk of byte or bit deletion: =DEF 1G =DEH


Bit stream; noisy line and error propagation is undesirable: OFB
Very high-speed data: CTR
In most situation, an integrity check is needed
Images from Wikipedia

Ciphers Symmetric-key crypto


Stream cipher Basically PRNGs
Reuse of single key with limited size
Pseudo-OTP w/ reusable keying vs. OTP
RC4
A5/1
Used for GSM cellphone encryption
Not very secure
Block ciphers can also be turned into stream ciphers

Stream Cipher
Key stream generator to produce pseudo-random sequence S
Unique for each plaintext

Combining key stream with plaintext (XOR)

J*

Suitable for asynchronous traffic


RC4 (used in SSL): very efficient
Internal state is 256-byte array plus two integers

Key stream S must never be reused for different plaintexts, or else:


=K
=A

RC4
Extremely efficient
After key setup, it just produces a key stream
No way to resynchronize except by rekeying and starting over
Internal state is a 256-byte array plus two integers
Note: weaknesses if used in ways other than as a stream cipher
Snake oil alert! If the key stream is algorithmically generated (), its not a one-time pad!

CPU Speed vs. Key Size


A cipher is no stronger than its key length
If there are too few keys, an attacker can enumerate all possible keys

Strength of cipher depends on how long it needs to resist attack


No good reason to use less than 128 bits

Adding one bit to the key doubles the work force for brute force attacks
The effect on encryption time is often negligible or even free
It costs nothing to use a longer RC4 key
Going from 128-bit AES to 256-bit AES takes (at most) 40% longer

But increases the attackers effort by a factor of 2

6B

Using triple DES cost 3x more to encrypt, but increases the attackers effort by a factor of 2

Moores Law favors the defender

Homework #3
Due next week during the lecture (Thu. 09/24/2015 at 7:00pm)
Homework:
Reading assignment: Submit your review to course web page
Manuel Egele, David Brumley, Yanick Fratantonio, Christopher Kruegel, An Empirical
Study of Cryptographic Misuse in Android Applications
https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf
Students randomly selected to provide their summary of the reading assignment in-class
during the following lecture

Review of Lecture
What did we learn?

PRNGs
Attack models on crypto
One-time pad
Cryptosystem - Symmetric-key cryptography: Block cipher & Stream cipher
Block cipher as a symmetric cryptography DES, AES, 3DES
Modes of operation - ECE, CBC, CFB, OFB, CTR
Stream cipher RC4

Whats next?
Message integrity MAC, Digital Signature
Asymmetric cryptography - DH, RSA

Sources
In addition to the textbooks mentioned in course syllabus, the course
material is in part borrowed from the following sources:
Jonathan Katz, CMSC414 Computer and Network Security
Tudor Dumitras, ENEE757 Network and Distributed System Security
Robert Maxwell, ENPM808D Security Tools for Information Security
Tudor Dumitras, ENEE759D Security Data Science