Symmetric Cryptography - Courses
Symmetric Cryptography - Courses
Symmetric Cryptography - Courses
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Friday, September 28, 2012<br />
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A<br />
<strong>Symmetric</strong> Crypto<br />
Systems<br />
EECE 412<br />
Copyright © 2004-2012 Konstantin Beznosov<br />
1
2<br />
Module Outline<br />
! Stream ciphers “under the hood”<br />
! Block ciphers “under the hood”<br />
! Modes of operation for block ciphers<br />
Friday, September 28, 2012<br />
2
3<br />
Friday, September 28, 2012<br />
Stream Ciphers<br />
3
Random Generator (Stream Cipher)<br />
• In:<br />
• short string (key)<br />
• length of the output<br />
• Out: long random stream of bits (keystream)<br />
• Applications:<br />
• Communications<br />
encryption<br />
• Storage encryption<br />
Friday, September 28, 2012<br />
as Random Oracle<br />
Queries<br />
Responses<br />
Properties<br />
! Should not reuse<br />
• Use seed<br />
4
5<br />
Stream Ciphers<br />
! Not as popular today as block ciphers<br />
! A5/1<br />
• Designed for hardware implementations<br />
• Based on shift registers<br />
• Used in GSM mobile phone system<br />
! RC4<br />
Friday, September 28, 2012<br />
• Designed for software implementations<br />
• Based on a changing lookup table<br />
• Used many places<br />
5
6<br />
A5/1<br />
! A5/1 consists of 3 shift registers<br />
Friday, September 28, 2012<br />
• X: 19 bits (x 0 ,x 1 ,x 2 , …,x 18 )<br />
• Y: 22 bits (y 0 ,y 1 ,y 2 , …,y 21 )<br />
• Z: 23 bits (z 0 ,z 1 ,z 2 , …,z 22 )<br />
6
7<br />
A5/1<br />
! At each step: m = maj(x 8 , y 10 , z 10 )<br />
• Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1<br />
! If x 8 = m then X steps<br />
• t = x 13 ⊕ x 16 ⊕ x 17 ⊕ x 18<br />
• x i = x i−1 for i = 18,17,…,1 and x 0 = t<br />
! If y 10 = m then Y steps<br />
• t = y 20 ⊕ y 21<br />
• y i = y i−1 for i = 21,20,…,1 and y 0 = t<br />
! If z 10 = m then Z steps<br />
• t = z 7 ⊕ z 20 ⊕ z 21 ⊕ z 22<br />
• z i = z i−1 for i = 22,21,…,1 and z 0 = t<br />
! Keystream bit is x 18 ⊕ y 21 ⊕ z 22<br />
Friday, September 28, 2012<br />
7
8<br />
X<br />
Y<br />
Z<br />
! Each value is a single bit<br />
A5/1<br />
x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18<br />
y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 y 16 y 17 y 18 y 19 y 20 y 21<br />
z 0 z 1 z 2 z 3 z 4 z 5 z 6 z 7 z 8 z 9 z 10 z 11 z 12 z 13 z 14 z 15 z 16 z 17 z 18 z 19 z 20 z 21 z 22<br />
! Key is used as initial fill of registers<br />
! Each register steps or not, based on (x 8 , y 10 , z 10 )<br />
! Keystream bit is XOR of right bits of registers<br />
Friday, September 28, 2012<br />
⊕<br />
⊕<br />
⊕<br />
⊕<br />
8
9<br />
X<br />
Y<br />
Z<br />
A5/1: example<br />
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1<br />
1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1<br />
1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1<br />
! In this example, m = maj(x 8 , y 10 , z 10 ) = maj(1,0,1) = 1<br />
! Register X steps, Y does not step, and Z steps<br />
! Keystream bit is XOR of right bits of registers<br />
! Here, keystream bit will be 0 ⊕ 1 ⊕ 0 = 1<br />
Friday, September 28, 2012<br />
⊕<br />
⊕<br />
⊕<br />
⊕<br />
9
10<br />
Shift Register Crypto<br />
! Shift register-based crypto is efficient in<br />
hardware<br />
! Harder to implement in software<br />
! In the past, very popular<br />
! Today, more is done in software due to faster<br />
processors<br />
! Shift register crypto still used some<br />
Friday, September 28, 2012<br />
10
11<br />
Use of Stream Ciphers<br />
! Stream ciphers were big in the past<br />
Friday, September 28, 2012<br />
• Efficient in hardware<br />
• Speed needed to keep up with voice, etc.<br />
• Today, processors are fast, so software-based crypto is<br />
fast enough<br />
11
Friday, September 28, 2012<br />
Block Ciphers<br />
“Under the Hood”<br />
Copyright © 2004-2007 Konstantin Beznosov<br />
09/16/08<br />
12
Random Permutation (Block Cipher)<br />
• In<br />
• fixed size short string (plaintext) M,<br />
• DES -- 64 bits<br />
• Key K<br />
• Out<br />
• same fixed size short string<br />
(ciphertext) C<br />
Friday, September 28, 2012<br />
as Random Oracle<br />
13<br />
Queries<br />
Responses<br />
Notation<br />
! C = { M } K<br />
! M = { C } K<br />
Properties<br />
! Invertible<br />
K 1<br />
K 2<br />
13
14<br />
Related Notes<br />
! Main properties of block ciphers<br />
• invertible<br />
• confusing<br />
• diffusing<br />
! Main block ciphers<br />
Friday, September 28, 2012<br />
• Data Encryption Standard (DES)<br />
• Advanced Encryption Standard (AES) a.k.a.,<br />
Rijndael<br />
14
15<br />
(Iterated) Block Cipher<br />
! Plaintext and ciphertext consists of fixed sized<br />
blocks<br />
! Ciphertext obtained from plaintext by iterating<br />
a round function<br />
! Input to round function consists of key and the<br />
output of previous round<br />
! Usually implemented in software<br />
Friday, September 28, 2012<br />
15
16<br />
Feistel Cipher<br />
! type of block cipher design, not a specific cipher<br />
! Split plaintext block into left and right halves:<br />
Plaintext = (L 0 ,R 0 )<br />
! For each round i=1,2,...,n, compute<br />
! L i = R i−1<br />
! R i = L i−1 ⊕ F(R i−1 ,K i )<br />
! where F is round function and K i is subkey<br />
! Ciphertext = (L n ,R n )<br />
Friday, September 28, 2012<br />
16
17<br />
Feistel Cipher<br />
! Decryption: Ciphertext = (L n ,R n )<br />
! For each round i=n,n−1,…,1, compute<br />
" R i−1 = L i<br />
" L i−1 = R i ⊕ F(R i−1 ,K i )<br />
" where F is round function and K i is subkey<br />
! Plaintext = (L 0 ,R 0 )<br />
! Formula “works” for any function F<br />
! But only secure for certain functions F<br />
• silly round function example: F(x, y) == 0 for<br />
any x and y.<br />
Friday, September 28, 2012<br />
17
Advanced Encryption Standard<br />
18<br />
! Replacement for DES<br />
! AES competition (late 90’s)<br />
• NSA openly involved<br />
• Transparent process<br />
• Many strong algorithms proposed<br />
• Rijndael Algorithm ultimately selected<br />
• Pronounced like “Rain Doll” or “Rhine Doll”<br />
• invented by Joan Daemen and Vincent Rijmen<br />
! Iterated block cipher (like DES)<br />
Friday, September 28, 2012<br />
18
19<br />
AES Overview<br />
! Block size: 128, 192 or 256 bits<br />
! Key length: 128, 192 or 256 bits<br />
(independent of block size)<br />
! 10 to 14 rounds (depends on key length)<br />
! Each round uses 4 functions (in 3 “layers”)<br />
Friday, September 28, 2012<br />
• ByteSub (nonlinear layer)<br />
• ShiftRow (linear mixing layer)<br />
• MixColumn (nonlinear layer)<br />
• AddRoundKey (key addition layer)<br />
19
Friday, September 28, 2012<br />
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A<br />
AES demonstration<br />
20
Friday, September 28, 2012<br />
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A<br />
Modes of Operation<br />
21
• Literally, a book filled with “codewords”<br />
" " Februar"" " 13605<br />
" " fest"" " 13732<br />
" " finanzielle" " 13850<br />
" " folgender" " 13918<br />
" " Frieden"" " 17142<br />
" " Friedenschluss" 17149<br />
" " " :" " :<br />
Code book<br />
• Modern block ciphers are code books!<br />
Friday, September 28, 2012<br />
22
27<br />
Electronic Code Book (ECB)<br />
K<br />
ci = EK(mi)<br />
Drawbacks<br />
M = m 1 | m 2 | … | m n<br />
m 1<br />
E<br />
c 1<br />
C = c 1 | c 2 | … | c n<br />
• Same message has same ciphertext<br />
• Redundant/repetitive patterns will show through<br />
• Subject to “cut-and-splice” attacks<br />
Friday, September 28, 2012<br />
m 2<br />
E<br />
c 2<br />
…<br />
…<br />
…<br />
m n<br />
E<br />
c n<br />
23
28<br />
Friday, September 28, 2012<br />
Alice in ECB Mode<br />
24
Cipher Block Chaining (CBC)<br />
29<br />
M = m 1 | m 2 | … | m n<br />
init. vector (IV) m 1<br />
K<br />
C = IV | c 1 | c 2 | … | c n<br />
ci = EK(mi ⊕ ci-1)<br />
⊕<br />
Decrypting with CBC: mi = DK(ci) ⊕ ci-1<br />
E<br />
c 1<br />
Drawback: cannot precompute ci without ci-1<br />
Friday, September 28, 2012<br />
m 2<br />
⊕<br />
E<br />
c 2<br />
…<br />
…<br />
…<br />
25
30<br />
Friday, September 28, 2012<br />
Alice in CBC Mode<br />
26
Output Feedback (OFB) Mode<br />
• K0 = IV, K1 = EK (IV), K2 =EK (K1 ), … Ki =EK (Ki-1 ) …<br />
! C i = m i ⊕ E K (K i-1 )<br />
• draw OFB diagram, similar to the one for CBC<br />
• Purpose<br />
• use block cipher as a stream cipher<br />
• Drawback<br />
• K1, ... Ki must be kept in memory<br />
Friday, September 28, 2012<br />
27
35<br />
Counter Encryption<br />
! Drawbacks of feedback modes<br />
• Hard to parallelize<br />
• CBC -- cannot pre-compute<br />
• OFB -- memory requirements<br />
! Counter Encryption is easier to parallelize<br />
Friday, September 28, 2012<br />
• ci = mi ⊕ EK(IV+i)<br />
• mi = ci ⊕ EK(IV+i)<br />
• draw CE diagram for decryption<br />
28
36<br />
message authentication code<br />
! Purpose<br />
(MAC)<br />
• protect message integrity and authenticity<br />
! How to do MAC with a block cipher?<br />
init. vector (IV) m 1<br />
Friday, September 28, 2012<br />
⊕<br />
E k<br />
c 1<br />
m 2<br />
⊕<br />
E k<br />
c 2<br />
In CBC mode, the last block of<br />
cipher text serves as the MAC for<br />
the entire message<br />
29
37<br />
Hash Function from a Block<br />
h = H(M)<br />
1. Easy to compute h from M - efficient<br />
2. Hard to compute M from h – one way<br />
Cipher<br />
3. For given M, hard to find another M’ s.t. H(M) == H(M’) – weak collision resistance<br />
4. Hard to find any M & M’ s.t. H(M) == H(M’) – strong collision resistance<br />
hi-1 M i<br />
h i = E Mi (h i-1) ⊕ h i-1<br />
Friday, September 28, 2012<br />
key input<br />
plaintext input<br />
E<br />
⊕<br />
h i<br />
30
38<br />
Common Hash Functions and Applications<br />
! Common hash functions<br />
• (Message Digest) MD5<br />
value 128b<br />
• (Secure Hash Algorithm)<br />
SHA-1 180b value,<br />
SHA-256, SHA-512<br />
! Applications<br />
• MACs<br />
Friday, September 28, 2012<br />
• MAC K (M) = H(K,M)<br />
• HMAC K (M) = H(K ⊕ Α,<br />
Η(Κ ⊕Β,Μ)), Α & Β =<br />
magic (pg. 94, Stamp)<br />
• Time stamping service<br />
• key updating<br />
• K i = H(K i-1 )<br />
• Backward security<br />
• Autokeying<br />
• K i+1 = H(K i ,M i1 , M i2 , … )<br />
• Forward security<br />
31
39<br />
Key Points<br />
! Ciphers are either substitution, transposition<br />
(a.k.a., permutation), or product<br />
! Any block cipher should confuse and defuse<br />
! Block ciphers are implemented in SP-networks<br />
! Stream ciphers and hash functions are<br />
commonly implemented with block ciphers<br />
! Hash functions used for<br />
Friday, September 28, 2012<br />
• fingerprinting data, MAC, key updating, autokeying<br />
• Backward & forward security properties<br />
32