|
|
|
|
|
Josh Benaloh & Brian LaMacchia |
|
|
|
|
|
|
|
|
Setup: Alice wants to send a private message to
Bob. |
|
Precondition: Alice and Bob have previously
shared some secret known only to them. |
|
The pre-shared secret is the encryption key
Alice and Bob will use. |
|
|
|
|
|
|
|
|
Exhaustive search of keyspace must be infeasible |
|
More about this later… |
|
It must also be infeasible to find the key
given: |
|
Sample ciphertext and corresponding plaintext
(“known-plaintext attack”) |
|
The ability to feed ciphertext in and see what
plaintext comes out (“chosen-ciphertext attack”) |
|
or the other way around (“chosen-plaintext
attack”) |
|
If someone can find keys under any of these
conditions, the cipher isn’t considered secure |
|
|
|
|
|
|
Repeated XOR mask |
|
Pick a key number. XOR with each plaintext |
|
XOR with key again to decrypt |
|
INSECURE: just one plaintext/ciphertext gives
the key |
|
Monoalphabetic substitution |
|
Key is a table of letters and corresponding
ciphertexts |
|
a=m, b-x, c=b, d=r, etc. |
|
encrypt/decrypt by substitution |
|
Exhaustive search is really hard (26! keys to
try). |
|
INSECURE: statistical analysis of ciphertext
frequency |
|
|
|
|
Private-key (symmetric) ciphers are usually
divided into two classes. |
|
|
|
Block ciphers |
|
|
|
Stream ciphers |
|
|
|
|
Private-key (symmetric) ciphers are usually
divided into two classes. |
|
|
|
Block ciphers |
|
|
|
Stream ciphers |
|
|
|
|
|
Encrypt fixed-size blocks |
|
ciphertext = Encrypt(key,cleartext) |
|
cleartext = Decrypt(key,ciphertext) |
|
Encrypt function converts blocks of cleartext
bits to ciphertext bits |
|
Decrypt function converts back |
|
If the key is wrong, you get the wrong result |
|
Shouldn’t be possible to derive key given
cleartext, ciphertext pairs |
|
Examples include DES, 3DES, AES |
|
|
|
|
|
|
|
|
|
Encrypt/decrypt data a block at a time |
|
Encryption/decryption of sequential blocks may
be related |
|
Mode of operation |
|
We always encrypt/decrypt full blocks |
|
No partial blocks allowed by the cipher! |
|
Our plaintext may not be an even multiple of
blocks, so we may need to pad the last plaintext block |
|
|
|
|
Electronic Code Book (ECB) Encryption: |
|
|
|
|
Electronic Code Book (ECB) Decryption: |
|
|
|
|
|
Patterns in plaintext preserved in ciphertext |
|
|
|
|
|
|
|
|
|
No basic integrity protection. Must add or: |
|
Cipher block substitution and rearrangement
attacks |
|
Fabrication of information |
|
|
|
|
|
|
Cipher Block Chaining (CBC) Encryption: |
|
|
|
|
Cipher Block Chaining (CBC) Decryption: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Typically, most Feistel ciphers are iterated for
about 16 rounds. |
|
Different “sub-keys” are used for each round. |
|
Sub-keys are derived from the master key or a
derived key schedule |
|
Even a weak round function can yield a strong
Feistel cipher if iterated sufficiently. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
What do we do if the length of the plaintext is
not an even multiple of the cipher’s block size? |
|
A: Drop the extra data on the floor |
|
(You really didn’t want it encrypted anyway) |
|
B: Throw an exception/return an error |
|
“User error” |
|
C: Pad the last block of plaintext so it’s a
full block, then encrypt it normally |
|
|
|
|
Add enough zeros to the end of the data so we
have a full block to encrypt |
|
Example: last block is 31 D9 7B D7 |
|
|
|
|
|
Zero padding yields: |
|
|
|
|
|
What’s wrong with padding with zeros? |
|
|
|
|
|
If my plaintext can end in a zero, I cannot tell
the plaintext data apart from the added pad |
|
Not always fatal, but in general zero is a legal
plaintext value |
|
We need something else... |
|
|
|
|
|
Idea: Pad the block with a value that depends on
the amount of padding needed. |
|
This lets you tell the pad apart from the
plaintext |
|
If you need n bytes of pad, pad with a value of
n! |
|
Example: Need to pad the last four bytes?
Use a value of 04: |
|
|
|
|
|
Removing a PKCS pad is easy: |
|
Look at the last byte of the last block of
plaintext – this is the pad value |
|
Remove that many bytes of padding |
|
|
|
|
What did I forget? |
|
What happens if the plaintext doesn’t need to be
padded? (Last block is already full...) |
|
|
|
|
If the last block is a full block, add an entire
block’s worth of padding: |
|
|
|
|
|
DES is not secure |
|
DES can be brute-forced (2^56 operations) |
|
In January 1998, a combination of the EFF DES
Cracker and distributed.net brute-forced a challenge in less than 24 hours |
|
Today, the common choices are: |
|
Triple-DES (two-key or three-key) |
|
AES (Rijndael) |
|
|
|
|
|
Triple-DES is DES run three times |
|
Sometimes called 3DES-EDE because it has three
stages: encryption-decryption-encryption |
|
|
|
|
|
Triple-DES can be run in either two-key or
three-key modes |
|
In two-key mode, K1 = K3 |
|
In three-key mode, K1, K2, K3 are all distinct |
|
If K1 = K2 = K3, you have just DES |
|
|
|
|
|
The details are everything |
|
And there are a lot of details |
|
Cipher design is much harder than you’d think |
|
Don’t ever design and use your own cipher! |
|
It won’t be nearly as secure as existing designs
like 3DES |
|
Don’t trust secret algorithms |
|
Need lots of review by skeptical experts to gain
confidence in a cipher |
|
|
|
|
Private-key (symmetric) ciphers are usually
divided into two classes. |
|
|
|
Block ciphers |
|
|
|
Stream ciphers |
|
|
|
|
|
An unconditionally secure cipher |
|
|
|
|
|
|
|
|
|
Problems: |
|
Number of random bits needed = sum of lengths of
all messages to be encrypted (not reusable) |
|
Random bits must be known to both sender and
recipient. |
|
|
|
|
|
|
Really good random numbers are hard to acquire |
|
Best bits come from physical systems |
|
Radioactive decay
(http://www.fourmilab.ch/hotbits/) |
|
Noise diodes |
|
Lava Lamps |
|
Getting many truly random bits is slow |
|
Getting many shared truly random bits is more
awkward |
|
Getting “good randomness” is important for many
crypto algorithms |
|
Picking private key components & secret keys |
|
Some algorithms (e.g. DSA) require random input! |
|
|
|
|
|
|
It sounds so easy: “Just pick some random bytes” |
|
No good standard source of computer randomness |
|
OS state (time-of-day, PID) is very low entropy |
|
User keyboard input is very unreliable |
|
Best practical options aren’t very good |
|
Inter-event timing (keyboard, network), timing
loops, fast clocks and interval timers |
|
Better would be /dev/random, or hardware
generator |
|
Intel 850 chipset (for Pentium motherboards) has
on-board hardware RNG |
|
|
|
|
|
How do we make a lot of “good” random bits from
a smaller number of “really good” random bits? |
|
We want “pseudo-random bits” |
|
Pseudo-random bitstrings are “polynomial time
indistinguishable” from truly random bitstrings |
|
In practice: use DES, hash functions to generate
bits from a random seed (FIPS 186) |
|
|
|
|
|
|
Use the secret key as a seed to a pseudo-random
number-generator. |
|
Take the stream of output bits from the PRNG and
XOR it with the plaintext to form the ciphertext. |
|
|
|
|
|
Generate mask bits |
|
ciphertext[i] = cleartext[i]+stream(key,state) |
|
cleartext[i] = ciphertext[i]-stream(key,state) |
|
Cipher produces a sequence of bits that is added
to the cleartext to produce ciphertext |
|
Receiver can generate the same sequence and
subtract from ciphertext to recover cleartext |
|
Must never re-use same part of stream |
|
Each bit is encrypted independently |
|
|
|
|
|
|
|
|
|
|
Initialization |
|
S[0..255] = 0,1,…,255 |
|
K[0..255] = Key,Key,Key,… |
|
for i = 0 to 255 |
|
j = (j + S[i] + K[i]) mod 256 |
|
swap S[i] and S[j] |
|
|
|
|
Iteration |
|
i = (i + 1) mod 256 |
|
j = (j + S[i]) mod 256 |
|
swap S[i] and S[j] |
|
t = (S[i] + S[j]) mod 256 |
|
Output S[t] |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $0,000,002.00
to the account of my good friend Alice. |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $1,000,002.00
to the account of my good friend Alice. |
|
|
|
|
It is easy for an adversary (even one who can’t
decrypt the ciphertext) to alter the plaintext in a known way. |
|
Bob to Bob’s Bank: Please transfer $1,000,002.00
to the account of my good friend Alice. |
|
This can be protected against by the careful
addition of appropriate redundancy. |
|
|
|
|
The idea of a check sum is great, but it is
designed to prevent accidental changes in a message. |
|
For cryptographic integrity, we need an
integrity check that is resilient against a smart and determined adversary. |
|
|
|
|
Generally, a one-way hash function is a function
H : {0,1}* ® {0,1}k (typically k is 128 or 160)
such that given an input value x, one cannot find a value x¢ ¹ x such H(x)
= H(x¢ ). |
|
|
|
|
There are many measures for one-way hashes. |
|
|
|
Non-invertability: given y, it’s difficult to find any x such that H(x) = y. |
|
|
|
Collision-intractability: one cannot find a pair of values x¢ ¹ x such that
H(x) = H(x¢ ). |
|
|
|
|
|
SHA-1 was designed by the US Government as part
of the Digital Signature Standard |
|
SHA-1 is the most-commonly used hash function
today |
|
It’s the hash function in which we have the most
faith right now |
|
SHA-1 takes any size input and produces a
160-bit output (the digest value) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
|
|
|
|
|
Depending on the round, the “non-linear”
function f is one of the following. |
|
|
|
f(X,Y,Z) = (XÙY) Ú ((ØX)ÙZ) |
|
f(X,Y,Z) = (XÙY) Ú (XÙZ) Ú (YÙZ) |
|
f(X,Y,Z) = X Å Y Å Z |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
Add in a round-dependent constant. |
|
|
|
|
What’s in the final 32-bit transform? |
|
Take the rightmost word. |
|
Add in the leftmost word rotated 5 bits. |
|
Add in a round-dependent function f of the
middle three words. |
|
Add in a round-dependent constant. |
|
Add in a portion of the 512-bit message. |
|
|
|
|
|
|
When using a stream cipher, a hash of the
message can be appended to ensure integrity. [Message Authentication Code] |
|
|
|
When forming a digital signature, the signature
need only be applied to a hash of the message. [Message Digest] |
|
Notes