network security - ailab.cs.nchu.edu.twailab.cs.nchu.edu.tw/course/networksecurity/103/ns03.pdf ·...

1

Network Security 網路安全

Lecture 3March 16, 2015

洪國寶

2

Outline

• Review: • Symmetric encryption -- Classical

techniques (Cont.)• Symmetric encryption -- Modern techniques

– secure encryption schemes– modern symmetric block encryption techniques

3

Review

• Introduction and terminologies• Definition of cryptosystem and cryptanalysis• Types of encryption

– operations– the number of keys used– the way the plaintext processed

• Symmetric encryption -- Classical techniques– substitution:

• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau

– transposition

4

Review: Steganography vsCryptography

• Types of transformation (in model for network communication security model)– Steganography: conceal the existence of the

secret message– Cryptography: render the secret message

unintelligible to outsiders

5

Review: Definition of cryptosystems

A cryptosystem is a five-tuple (P,C,K,E,D), where the following conditions are satisfied:

1. P is a finite set of possible plaintexts2. C is a finite set of possible ciphertexts3. K, the key space, is a finite set of possible keys4. For each k K, there is an encryption rule eKE

and a corresponding decryption rule dK D. Each eK :P C and dK : C P are functions such that dK(eK(x)) = x for every plaintext x P.

Example: Caesar cipher

6

Example: Caesar (shift) cipher

• P = {0(A), 1(B), …, 25(Z)}• C = {0(A), 1(B), …, 25(Z)}• K = { 0, 1, 2, …, 25}• ek(x) ≡ x + k mod 26• dk(y) ≡ y – k mod 26

7

Review: Attacking a cryptosystem

• Cryptanalysis approach: this type of attack exploits the characteristics of the algorithmplus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs.

• Brute force approach: an attacker tries every possible key on a piece of ciphertext until intelligible translation into plaintext is obtained.

8

Review: Kerkhoff’s principle

• It is hard (and often impossible), to keep a cryptosystem in use secret!

• Designing a good cryptosystem is hard! If you don’t publish, nobody will analyze your scheme . . . except for the bad guys!

• Distinguish system itself (= algorithm), from key:– Key: secret, easy to change, chosen at random from

large set of possible keys.• Assume: Bad guys know system but don’t

know key!

9

10

Review: More Definitions

• unconditional security– no matter how much computer power is

available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

• computational security– given limited computing resources (eg time

needed for calculations is greater than age of universe), the cipher cannot be broken

11

Review: Cryptographic systems

• can characterize by:– type of encryption operations used

• substitution / transposition / product

– number of keys used• single-key or private / two-key or public

– way in which plaintext is processed• block / stream

12

Review: Classical Substitution Ciphers

• where letters of plaintext are replaced by other letters or by numbers or symbols– monoalphabetic:

• Single letter: Caesar• Multiple letter: Playfair, Hill

– polyalphabetic: • Vigenere tableau

13

Review: Monoalphabetic Cipher

• shuffle the letters arbitrarily • each plaintext letter maps to a different random

ciphertext letter • hence key is 26 letters long, |K|=26!

Plain: abcdefghijklmnopqrstuvwxyzCipher: DKVQFIBJWPESCXHTMYAUOLRGZNPlaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA

14

Review: Monoalphabetic Cipher

Language Redundancy and Cryptanalysis• human languages are redundant

– eg "th lrd s m shphrd shll nt wnt" • letters are not equally commonly used

– in English e is by far the most common letter then T,R,N,I,O,A,S

– other letters Z,J,K,Q,X are fairly rare • have tables of single, double & triple letter

frequencies• Single letter monoalphabetic substitution

ciphers are insecure.

15

Review: Playfair Cipher: Key Matrix

• a 5X5 matrix of letters based on a keyword • fill in letters of keyword (sans duplicates) • fill rest of matrix with other letters• eg. using the keyword MONARCHY

MONARCHYBDEFGIKLPQSTUVWXZ

16

Review: Playfair Cipher Encrypting and Decrypting

• plaintext encrypted two letters at a time: 1. if a pair is a repeated letter, insert a filler like 'X',

eg. "balloon" encrypts as "ba lx lo on" 2. if both letters fall in the same row, replace each with

letter to right (wrapping back to start from end), eg. “ar" encrypts as "RM"

3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), eg. “mu" encrypts to "CM"

4. otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, eg. “hs" encrypts to "BP", and “ea" to "IM" or "JM" (as desired)

17

Review: Hill cipher

• Hill 1929• The encryption algorithm takes m successive

plaintext letters and substitutes for them mciphertext letters.

• K = {m m invertible matrices over Z26 }• Hill cipher completely hides single letter

frequencies (i.e. Hill cipher is strong against ciphertext only attack.)

• Hill cipher can be easily broken with a known plaintext attack (only need m plaintext-ciphertextpairs).

18

Review: comparison

Known-plaintext attack

Multiple Hill cipher

Ciphertext-only attack (need more ciphertexts)

Multiple Playfair cipher

Ciphertext-only attack

Single Caesar cipher

Vulnerable toSingle/multiple letter substitution

19

Outline

• Review: • Symmetric encryption -- Classical

techniques (Cont.)• Symmetric encryption -- Modern techniques

– secure encryption schemes– modern symmetric block encryption techniques

20

Polyalphabetic Ciphers

• Polyalphabetic substitution cipher– Improves on the simple monoalphabetic technique by using

different monoalphabetic substitutions as one proceeds through the plaintext message

– makes cryptanalysis harder with more alphabets to guess and flatter frequency distribution

2121

Vigenère Cipher

• simplest polyalphabetic substitution cipher is the Vigenère Cipher (p. 64)

• effectively multiple caesar ciphers • key is multiple letters long K = k1 k2 ... kd

• ith letter specifies ith alphabet to use • use each alphabet in turn • repeat from start after d letters in message• decryption simply works in reverse

2222

Example

• write the plaintext out

• eg using keyword deceptivekey:plaintext: wearediscoveredsaveyourselfciphertext:

2323

Example

• write the plaintext out • write the keyword repeated above it

• eg using keyword deceptivekey: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:

2424

Example

• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key

encrypt the corresponding plaintext letter• eg using keyword deceptive

key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourself

ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

2525

Aids

• simple aids can assist with en/decryption • expand into a Vigenère Tableau (see text

Table 2.3)

2626

2727

Security of Vigenère Ciphers

• have multiple ciphertext letters for each plaintext letter

• hence letter frequencies are obscured• but not totally lost• start with letter frequencies

– see if look monoalphabetic or not• if not, then need to determine number of

alphabets, since then can attach each

2828

Kasiski Method

• method developed by Babbage / Kasiski• repetitions in ciphertext give clues to period• so find same plaintext an exact period apart

which results in the same ciphertextof course, could also be random fluke

• eg repeated “VTW” in previous example– suggests size of 3 or 9– then attack each monoalphabetic cipher individually

using same techniques as before

2929

Example

• write the plaintext out • write the keyword repeated above it• use each key letter as a caesar cipher key • encrypt the corresponding plaintext letter• eg using keyword deceptive

key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

3030

Vigenère Autokey System

• A keyword is concatenated with the plaintext itself to provide a running key

• Example:key: deceptivewearediscoveredsavplaintext: wearediscoveredsaveyourselfciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA

• Even this scheme is vulnerable to cryptanalysis– Because the key and the plaintext share the same frequency

distribution of letters, a statistical technique can be applied

3131

Vernam Cipher

3232

One-Time Pad (1/3)• If a truly random key as long as the message is used, the

cipher will be secure. • It is called a One-Time pad (OTP)

P=C=K=(Z2)n, n ≥1k = (k1, k2, …, kn ) x = (x1, x2, …, xn )y = (y1, y2, …, yn )

ek(x) = (x1 k1, x2 k2, …, xn kn)dk(y) = (y1 k1, y2 k2, …, yn kn)

3333

One-Time Pad (2/3)

• One-Time pad is unbreakable since if k is random then y is random too (that is, ciphertextbears no statistical relationship to the plaintext) and for any plaintext & any ciphertext there exists a key mapping one to other.

• In practice, two fundamental difficulties– Supplying truly random keys of large volumn is a

significant task– Key distribution and protection are problematic

3434

One-Time Pad (3/3)

• One-Time pad is of limited utility, and is useful primarily for low bandwidth channels requiring very high security.

35

Symmetric encryption -- Classical techniques (Cont.)

• Introduction and terminologies• Definition of cryptosystem and cryptanalysis• Types of encryption

– operations– the number of keys used– the way the plaintext processed

• Symmetric encryption -- Classical techniques– substitution:

• monoalphabetic: Caesar, Playfair, Hill• polyalphabetic: Vigenere tableau

– transposition

36

Transposition Ciphers

• now consider classical transposition or permutation ciphers

• these hide the message by rearranging the letter order

• without altering the actual letters used

37

Rail Fence cipher

• write message letters out diagonally over a number of rows

• eg. write message out as:m e m a t r h t g p r ye t e f e t e o a a t

38

Rail Fence cipher

• write message letters out diagonally over a number of rows

• then read off cipher row by row• eg. write message out as:

m e m a t r h t g p r ye t e f e t e o a a t

• giving ciphertextMEMATRHTGPRYETEFETEOAAT

39

Row Transposition Ciphers

• a more complex scheme• write letters of message out in rows over a

specified number of columns• then reorder the columns according to some key

before reading off the rowsKey: 4 3 1 2 5 6 7Plaintext: a t t a c k p

o s t p o n ed u n t i l tw o a m x y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ ■

40

Product Ciphers

• ciphers using substitutions or transpositions are not secure because of language characteristics

• hence consider using several ciphers in succession to make harder, but: – two substitutions make a more complex substitution – two transpositions make more complex transposition – but a substitution followed by a transposition makes a

new much harder cipher

• this is bridge from classical to modern ciphers

41

Outline

• Review: • Symmetric encryption -- Classical techniques

(Cont.)• Symmetric encryption -- Modern techniques

– secure encryption schemes– modern symmetric block encryption techniques

42

Symmetric cryptosystems : modern techniques

• secure encryption schemes– unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion

• modern symmetric block encryption techniques– introduction – Feisted Network – DES and its variants– Blowfish– RC5

43

Unconditionally secure/ Computationally secure

• A scheme is secure in– information theoretical sense (unconditional): no

matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

– computational sense: an attacker is computationally infeasible rather than information-theoretically impossible to recover a plaintext from its ciphertext. That is, given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken. ■

44

Shannon and Modern Cryptography

• Claude Shannon, the creator of modern information theory – Born in 1916, died in 2001 – Collected papers in

http://www.research.att.com/~njas/doc/shannon.html• Two important papers about information theory

– Published in 1948 and 1949– Addressed two related problems: noisy channel

problem and the secrecy problem these – Form the basis of modern digital communication

system ■

45

Shannon and One-time-pad

• One time pad provides perfect secrecy.• Perfect secrecy:

– Ciphertext is indistinguishable from a random string

– There is no clues in the ciphertext that will make it any easier to get the key or the plaintext

• To define perfect secrecy mathematically involves probability theory. ■

46

Shannon and Perfect secrecy

• A cryptosystem provides perfect secrecy if and only if xP, yC, Pp(x|y) = Pp(x)– Equivalently Pc(y|x) = Pc(y)

Use blackboard

47

Shannon and Perfect secrecy

• A cryptosystem provides perfect secrecy if and only if xP, yC, Pp(x|y) = Pp(x)– Equivalently Pc(y|x) = Pc(y)

• Theorem Suppose (P,C,K,E,D) is a cryptosystem where |P|=|C|=|K|. Thenthe cryptosystem provides perfect secrecy

if and only if– every key is used with equal probability, and – xP, yC, a unique key k such that ek(x) = y ■

Use blackboard

48

Shannon and Perfect secrecy

• CorollaryOne time pad provides perfect secrecy against passive attacks. ■

49

Shannon and Substitution-Permutation Ciphers

• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks– modern substitution-transposition product cipher

• these form the basis of modern block ciphers • S-P networks are based on the two primitive

cryptographic operations we have seen before: – substitution (S-box)– permutation (P-box)

• provide confusion and diffusion of message ■

50

Diffusion and Confusion• Terms introduced by Claude Shannon to capture the two

basic building blocks for any cryptographic system– Shannon’s concern was to thwart cryptanalysis based on

statistical analysis

51

Symmetric cryptosystems : modern techniques

• secure encryption schemes – unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion

• modern symmetric block encryption techniques– introduction – Feisted Network – DES and its variants– Blowfish– RC5

52

Modern Block Ciphers: introduction

• Modern block ciphers – P = C = {binary strings of fixed length}– Can be regarded as substitution ciphers– Substitution tables?

• Classical substitution is vulnerable to statistical analysis (of the plaintext) and brute force attacks– Reason: |P| and |K| are too small ■

53

Modern Block Ciphers: introduction

• To make statistical analysis (of the plaintext) and brute force attacks infeasible– |P| and |K| must be large– For n-bit block, we need to choose

• Large n and • Arbitrary reversible substitution between P and C

– Reason: need a large amount of plaintexts and ciphertexts and space for statistical analysis ■

54

Modern Block Ciphers: introduction

• Problem: To determine the specific mapping from all possible mappings requires |K| = 2n!– Equivalently, the size of a key is n2n

– For n = 64, the size of a key is 64 264 = 1021

bits ■

55

Modern Block Ciphers: introduction

• Solution: confine ourselves to a subset of the 2n! possible mappings.– For example, Hill cipher – Utilize the concept of product cipher

• Shannon SPN• Feistel cipher structure ■

56

Symmetric cryptosystems : modern techniques

• secure encryption schemes – unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion

• modern symmetric block encryption techniques– introduction – Feisted Network– DES and its variants– Blowfish– RC5

57

Block Cipher Principles

• block ciphers look like an extremely large substitution

• would need table of 264 entries (each has 64 bits) for a 64-bit block

• instead create from smaller building blocks • using idea of a product cipher • most symmetric block ciphers are based on

a Feistel Cipher Structure

58

Feistel Cipher Structure

• Horst Feistel devised the feistel cipher– based on concept of invertible product cipher

• partitions input block into two halves– process through multiple rounds which– perform a substitution on left data half– based on round function of right half & subkey– then have permutation swapping halves

• implements Shannon’s substitution-permutation network concept ■

59

Feistel Cipher Structure

60

Feistel Cipher Design Principles• block size

– increasing size improves security, but slows cipher • key size

– increasing size improves security, makes exhaustive key searching harder, but may slow cipher

• number of rounds– increasing number improves security, but slows cipher

• subkey generation– greater complexity can make analysis harder, but slows cipher

• round function– greater complexity can make analysis harder, but slows cipher ■

61

Feistel Cipher Design Principles

• fast software en/decryption & ease of analysis– are more recent concerns for practical use and

testing ■

62

Feistel Cipher Decryption

63

Symmetric cryptosystems : modern techniques

• secure encryption schemes – unconditionally secure/ computationally secure – shannon and modern cryptography – perfect secrecy and one time pad – confusion and diffusion

• modern symmetric block encryption techniques– introduction – Feisted Network – DES and its variants– Blowfish– RC5

64

Data Encryption Standard (DES)

• most widely used block cipher in world • adopted in 1977 by NBS (now NIST)

– as FIPS PUB 46• encrypts 64-bit data using 56-bit key• has widespread use• has been considerable controversy over its

security ■

65

DES History

• IBM developed Lucifer cipher– by team led by Feistel– used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher with input from NSA and others

• in 1973 NBS issued request for proposals for a national cipher standard

• IBM submitted their revised Lucifer which was eventually accepted as the DES ■

66

DES Design Controversy

• although DES standard is public• was considerable controversy over design

– in choice of 56-bit key (vs Lucifer 128-bit)– and because design criteria were classified

• subsequent events and public analysis show in fact design was appropriate

• DES has become widely used, esp in financial applications ■

67

DES Encryption

68

Initial Permutation IP

• first step of the data computation • IP reorders the input data bits • even bits to LH half, odd bits to RH half • quite regular in structure (easy in h/w)• see text Table 3.2• example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

Use blackboard

69

Permutation tables for DES (1/2)

70

DES Round Structure

• uses two 32-bit L & R halves• as for any Feistel cipher can describe as:

Li = Ri–1Ri = Li–1 xor F(Ri–1, Ki)

• takes 32-bit R half and 48-bit subkey and:– expands R to 48-bits using perm E– adds to subkey– passes through 8 S-boxes to get 32-bit result– finally permutes this using 32-bit perm P ■

71

Permutation tables for DES (2/2)

72

73

DES Round Structure

74

Substitution Boxes S

• have eight S-boxes which map 6 to 4 bits • each S-box is actually 4 little 4 bit boxes

– outer bits 1 & 6 (row bits) select one rows – inner bits 2-5 (col bits) are substituted – result is 8 lots of 4 bits, or 32 bits

• row selection depends on both data & key– feature known as autoclaving (autokeying)

• example:S(18 09 12 3d 11 17 38 39) = 5fd25e03

Use blackboard

75

76

DES Key Schedule

• forms subkeys used in each round• consists of:

– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

– 16 stages consisting of: • selecting 24-bits from each half • permuting them by PC2 for use in function f, • rotating each half separately either 1 or 2 places

depending on the key rotation schedule K ■

77

Table 3.2

DES Example

Note: DES subkeys are shown as eight 6-bit values in hex format

(Table can be found on page 75 in textbook)

78

DES Decryption

• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again • using subkeys in reverse order (SK16 … SK1)• note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round• ….• 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP • thus recovering original data value ■

Use blackboard

79

Avalanche Effect

• key desirable property of encryption alg• where a change of one input or key bit

results in changing approx half output bits• DES exhibits strong avalanche ■

80

Avalanche Effect

• Example 1:– Two plaintexts that differ by one bit

0000000000000…. 0000000000001000000000000…..000000000000

– Key: 0000001 1001011 …0110010

81

Avalanche Effect

• Example 1:– Two plaintexts that differ by one bit

0000000000000…. 0000000000001000000000000…..000000000000

– Key: 0000001 1001011 …0110010• Example 2:

– Plaintext: 01101000 ….10100100– Two keys that differ by one bit

1110010 1111011 …. 110111000110010 1111011 …. 11011100

82

Avalanche Effect in DES

83

Strength of DES – Key Size

• 56-bit keys have 256 = 7.2 x 1016 values• brute force search looks hard• recent advances have shown is possible

– in 1997 on Internet in a few months – in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!

• still must be able to recognize plaintext• now have alternatives to DES ■

84

Strength of DES – Timing Attacks

• attacks actual implementation of cipher• use knowledge of consequences of

implementation to derive knowledge of some/all subkey bits

• specifically use fact that calculations can take varying times depending on the value of the inputs to it

• particularly problematic on smartcards ■

85

Strength of DES – Analytic Attacks

• now have several analytic attacks on DES• these utilise some deep structure of the cipher

– by gathering information about encryptions – can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest

• generally these are statistical attacks• include

– differential cryptanalysis – linear cryptanalysis – related key attacks ■

86

Differential Cryptanalysis • Markov Ciphers and Differential Cryptanalysis (1991) J.

Lai, J. L. Massey, S. Murphy.• Main idea:

– This is a chosen plaintext attack, assumes than an attacker knows (plaintext, ciphertext) pairs

– Difference ∆P = P1 P2, ∆ C = C1 C2– Distribution of ∆ C’s given ∆ P may reveal

information about the key (certain key bits)– After finding several bits, use brute-force for the rest

of the bits to find the key.

87

Differential Cryptanalysis of DES

• Surprisingly … DES was resistant to differential cryptanalysis.

• At the time DES was designed, the authors knew about differential cryptanalysis. S-boxes were designed to resist differential cryptanalysis.

• Against 8-round DES, attack requires 238 known plaintext-ciphertext pairs.

• Against 16-round DES, attack requires 247 chosen plaintexts.

• Differential cryptanalysis not effective against DES !!!

88

Linear Cryptanalysis of DES• Another attack described in 1993 M. Matsui• Instead of looking for isolated points at which a block

cipher behaves like something simpler, it involves trying to create a simpler approximation to the block cipher as a whole.

• It is an attack that can be applied to an iterated cipher.

89

Basic idea of linear cryptanalysis

• Suppose that• (*) Pr [ Mi1Mi2 … Miu

Cj1Cj2 … Cjv Kp1kp2 … kpw =1] = 0.5 +

• Then one can recover some key bits given large number of PT/CT pairs

• For DES, exists (*) with =2-21

• Using this method, one can find 14 key bits using (221)2 PT/CT pairs

90

Linear Cryptanalysis of DES

• M. Matsui showed (1993/1994) that DES can be broke:– 8 rounds: 221 known plaintext– 16 rounds: 243 known plaintext, 40 days to

generate the pairs (plaintext, ciphertext) and 10 days to find the key

• The attack has no practical implication, requires too many pairs.

• The key size remains the main attack point.

91

DES Strength Against Various Attacks

247

255

For texts247

--255

Differential cryptanalysis

243

250

For texts--

243

238

Linear cryptanalysis

255negligible-1Exhaustive search

26(table lookup)

2561-Exhaustive precomputation

Processing complexity

Storage complexity

ChosenKnownAttackMethod

The weakest point of DES remains the size of the key (56 bits)!

92

DES Variants

• clear a replacement for DES was needed– theoretical attacks that can break it– demonstrated exhaustive key search attacks

• AES is a new cipher alternative• prior to this alternative was to use multiple

encryption with DES implementations ■

93

Double DES

94

Triple DES

95

Why Triple-DES?

• why not Double-DES?– NOT same as some other single-DES use, but have

• meet-in-the-middle attack– works whenever use a cipher twice– since X = EK1[P] = DK2[C]– attack by encrypting P with all keys and store– then decrypt C with keys and match X value– can show takes O(256) steps ■

Use blackboard

96

Triple-DES with Two-Keys

• hence must use 3 encryptions– would seem to need 3 distinct keys

• but can use 2 keys with E-D-E sequence– C = EK1[DK2[EK1[P]]]– encrypt & decrypt equivalent in security– if K1=K2 then can work with single DES

• standardized in ANSI X9.17 & ISO8732• no current known practical attacks ■

97

Triple-DES with Three-Keys

• although are no practical attacks on two-key Triple-DES have some indications

• can use Triple-DES with Three-Keys to avoid even these– C = EK3[DK2[EK1[P]]]

• has been adopted by some Internet applications, eg PGP, S/MIME ■

9898

Question?