CS 556 – Computer Security Spring 2018
Dr. Indrajit Ray Email: [email protected]
Department of Computer Science Colorado State University Fort Collins, CO 80523, USA
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 1 / 64 SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE SECRET KEY CRYPTOSYSTEMS ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 2 / 64 Message Destination M 2018 Colorado State University – 3 / 64 ] 2 c 2
2 K D[C, K key K = Key Source Provides Or Produces Key Decrypt C with ter Security - C 1 C K Channel Channel Secure Key Cryptanalyst Insecure Communications ] M 1 1 1 K E[M, K key K Generates = Key Source Random Key C Encrypt M with M Source Message
Secret Key Cryptosystem PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C n n n n n P C 2018 Colorado State University – 4 / 64 P P C block Encrypt Decrypt c
64 / 128 64bits / n-1 P Key Key ter Security - i i i i P C P C Encrypt Decrypt Plaintext Plaintext Ciphertext 2 P Key Key 1 1 1 1 1 P C P P C block Encrypt Decrypt 64 / 128 64bits / Key Key
Block Ciphers vs. Stream Ciphers (1) PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 5 / 64 c
Plaintext Ciphertext byte stream byte byte stream byte ter Security - Plaintext Ciphertext byte stream byte byte stream byte + + Plaintext generator) generator) (key stream(key (key stream(key byte generator byte byte generator byte Pseudorandom Pseudorandom Key Key
Block Cipher vs. Stream Ciphers (2) PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 6 / 64 c
ter Security - Reverse Cipher Column Transposition Rail Fence Scytale Cipher Nihilist Cipher Substitution Permutation or transposition ✦ ✦ ✦ ✦ ✦ Combination and iterations of these - Product ciphers
Basic Secret-Key Techniques ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE SIMPLE CIPHERS ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 7 / 64 uage 2018 Colorado State University – 8 / 64 c
ter Security - 26 10 ≫ Plaintext ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext PZQSGIMBWXDFKJVCHAOLUTERYN plaintext) Also called Caesar cipher Huge key space: 26! Trivially broken for known plaintext attacks Easily broken for ciphertext only attacks (for natural lang Multiple encipherment does not helpsubstitutions (no in point sequence) in doing two
Simple Alphabetic Substitution ● ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C age 2018 Colorado State University – 9 / 64 c
3 ter Security - 5 4 Plaintext 1 2 3 4 5 Ciphertext 1 2 plaintext) Key space N! for block sizeTrivially N broken for known plaintext attack Easily broken for ciphertext only attack (for natural langu Multiple encipherment does not help
Simple Permutation ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 10 / 64 c
ter Security - Plaintext – ICAMEISAWICONQUERED Ciphertext – DERDUQNOCIWASIEMACI Reverse the order of the letters in✦ a message ✦
Reverse Cipher ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 11 / 64 c
ter Security - Key; 4523617 Ciphertext: ecdtm ecaef auool edsam merne nasso dytnr vbnlc rltiq laetr igawe baaei hox t e d o c a w a v e s q x Column Transposition 1 2 3 4 5 6 7 l a s e f b a m s c n b e m o d u l a r y m o e i n t e l g e n c t h a n r d i o PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C E D O L LOM 2018 Colorado State University – 12 / 64 c A
O ter Security - E I E H T I WS O NTMFRGN Write the message alternating lettersWrite in the two ciphertext rows from the rows Plaintext Ciphertext NWSHTMFRLGOMNOITEIEOALODE
Rail Fence Cipher ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C g y 2018 Colorado State University – 13 / 64 c
H T N F ter Security - G S E L E I M L M D W I A O O T R N O E O Ciphertext: NEOOOTROWIADIMLMSELETFGNH staff in rows; then paper removedrandom leaving letters a strip of seemingl A strip of paper was wound round a staff; message written alon
Scytale Cipher ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 14 / 64 c
ter Security - I S R N O T O A N M 2 1 3 5 4 EFOLLG DME OWI HET 2 1 3 5 4 Ciphertext: HTEIT ONWSI EMFRO DOMNE LALOG Plaintext: NOWISTHETIMEFORALLGOODMEN Key 2 1 3 5 4 Combines row and column transposition Write message in rows inrows order controlled by key, read off by
Nihilist Cipher ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE STRONGER CIPHERS ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 15 / 64 tion 2018 Colorado State University – 16 / 64 c
ter Security - ... followed by permutation Substitution followed by permutation followed by substitu Best known example is DES (DataMathematics Encryption to Standard) design strong product cipher is classified
Product Ciphers ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C f 2018 Colorado State University – 17 / 64 c
ter Security - size of the key computing the key under these scenarios For known plaintext/ chosen plaintext/ chosenbreakable ciphertext, by exhaustive search of keyTherefore space security is based on - computational complexity o ✦
Product Ciphers - (cont’d) ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 0 1 1 0 A + B 0 0 0 1 1 0 1 1 AB 2018 Colorado State University – 18 / 64 c
ter Security - Secure Channel + + KK Perfect Secrecy Plaintext Ciphertext Plaintext Secret Key Secret Key
Vernam One-time Pad PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C cal e 2018 Colorado State University – 19 / 64 c
ter Security - for most situations key The Vernam one-time pad is the ultimate cipher, but impracti Requires a random key longer thanThe the key message cannot be reused Known plaintext reveals the portion ofused, the but key does that not has reveal been anything about the future bits of th
Perfect Secrecy ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE DATA ENCRYPTION STANDARD ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 20 / 64 for 2 and K M that are 1 = 2018 Colorado State University – 21 / 64 c
ter Security - M = ] 2 ], K 1 which E[E[M, K DES is a product cipherplaintext with and 56 ciphertext bit key and 64Developed by bit IBM block and size for adopted bywith NIST NSA (FIPS approval, publication for 46) unclassified information E and D are public, butHas the some design four principles weak keys are for classified which E[E[M, K], K] Has twelve semi-weak keys which comes in pairs K identified as part of the standard and should not be used
DES ● ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 22 / 64 c
ter Security - Has stood up remarkably well againstcryptanalysis 15 years of public Adopted as ANSI DEA (DataConsidered Encryption by Algorithm) ISO as a standardthat but it abandoned may due become to too concern widespreadcryptanalysis and an enticing target for
DES ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C ed 2018 Colorado State University – 23 / 64 c
ter Security - mode Triple DES 1977 Approved as Federal standard withrecertification 5 year cycle of 1987 Reluctantly approved for 5 years 1993 Approved for another 5 years 1998 Re-examined and called for replacement 1999 DES re-affirmed for use till replacement found; preferr 2001 Advanced Encryption Standard (FIPSreplace 197) DES announced to 2005 DES withdrawn as national standard
DES History ● ● ● ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C ated 2018 Colorado State University – 24 / 64 c
ter Security - The US Senate Select Committeeexonerated on the Intelligence NSA from tampering within the any design way of DES Broken in 22 hours in 1999over the by Internet distributing the (EFF’s Deep computing CrackBroken and in distributed.net) 1 day by FPGAMain based reason parallel for machine replacement in 2008 Allegations of built in trapdoors have never been✦ substanti Major weakness is key size ofallowing 56 exhaustive search bits for (on known the plaintext threshold attacks) of ✦ ✦ ✦
DES Controversies ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE DES DESIGN ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 25 / 64 e 2018 Colorado State University – 26 / 64 c
ter Security - an initial permutation (IP) 16 rounds of a complex keya dependent final calculation permutation, (f) being the inverse of IP DES consists of: The basic process in enciphering a 64-bit data block using th ✦ ✦ ✦
Overview ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 27 / 64 c
ter Security -
Overview PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 28 / 64 c
ter Security -
DES - Selecting Subkeys PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 29 / 64 c
ter Security -
DES Encryption - The f function PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE BREAKING DES ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 30 / 64 trials 16 10 × 3.6 2018 Colorado State University – 31 / 64 = c years years years
9 6 3 55 1 year 10 hours 10 10 ter Security - 3 6 9 12 1 10 10 10 10 10 trials / second time required 56 bit key can be broken on average in 2
DES Known Plaintext Attack ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C e 2018 Colorado State University – 32 / 64 c trials per second
12 ter Security - supercomputers Fastest DES chips can do closesecond to 1 million encryptions per A million chips in parallel canEstimated give cost us of 10 such amillions special of purpose dollars machine at is most, in comparable 10’s to of the most expensiv
DES Known Plaintext Attacks ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 33 / 64 years years c years years years
9 6 3 12 15 10 10 10 10 ter Security - 6 9 3 12 1 10 10 10 10 10 trials / second time required trials 75 Compare the numbers for a 76average in bit 2 key which can be broken on
DES Known Plaintext Attack ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C s can e to n 2018 Colorado State University – 34 / 64 c
pairs) 47 ter Security - trials - within the capabilities of the most 48 powerful workstations break DES in 2 Biham and Shamir have shown that differential cryptanalysi Differential cryptanalysis requires vast amounts of chose DES-like ciphers with larger keys should also be susceptibl ciphertext and is not very practical (2 such attacks
DES Chosen Ciphertext Attack ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C ]] 2 ], K 1 E[E[M, K 2018 Colorado State University – 35 / 64 = c
ter Security - However, this is not the case That is there is noSo K multiple such encryption that E[M, should K] bestronger effective in cipher giving a ■ In 1992 it was shown that DES✦ is not a group. ✦
DES Multiple Encipherment ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C ] 2 ], K 1 E[E[P, K = C 2018 Colorado State University – 36 / 64 c
Ciphertext ter Security - 2 K Ciphertext 1 K Plaintext Intermediate
DES Multiple Encipherment PEE PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C ] 1 ], K 2 D[D[C, K = P 2018 Colorado State University – 37 / 64 c
ter Security - 1 K Ciphertext Intermediate 2 K Ciphertext Plaintext
DES Multiple Encipherment CDD PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 38 / 64 c
ter Security - Known plaintext meet-in-the-middle attack Only as strong as DES with a✦ 57 bit key and not a 112 bit key
Double DES - Attack ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C D[C, e by = ] 1 . Store these E[P, K 1 = 2018 Colorado State University – 39 / 64 c
ter Security - possible values of K ]; then we have X 2 56 ], K 1 E[E[P, K = ] 2 K Note that C The attack starts with aStep known 1: pair (P, Encrypt C) P for all 2 results (that is the Xthe values) in values of a X table and then sort the tabl
Double DES Meet-in-the-Middle Attack ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C w of X e . As each 2 2018 Colorado State University – 40 / 64 c
values of K 56 ter Security - values) for a match. decryption is produced, check the result against the table ( known plaintext-ciphertext pair. If the twocorrect keys ciphertext, produce accept th them as the correct key. Step 2: Decrypt C using all possible 2 If a match occurs then test the two resulting keys against a ne
The Meet-in-the-Middle Attack ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C f 112 s ciphertext values 2018 Colorado State University – 41 / 64 64 c
ter Security - 48 2 = 64 /2 112 possible key values different 112 bit keys that will2 produce a given ciphertext i For any given 64 bit plaintext P, there are 2 Double DES has a 112 bit key size - so inTherefore, effect on there an are average, for 2 a given plaintext, the number o that could be produced by double DES
The Attack - Analysis ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C ≈ 16 the − 2018 Colorado State University – 42 / 64 16 c
− 2 false alarms on the first = 48 64 ter Security - /2 48 1 that is if the attacks isC) performed pair on the two probability blocks of of the known attack (P, succeeding is 1 – 2 false alarm rate is reduced to 2 Thus, the attack will produce about 2 A similar argument states that with an additional (P, C) pair ✦ (P, C) pair.
Analysis (continued) ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE DES TRIPLE ENCRYPTION ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 43 / 64 C 1 K 2018 Colorado State University – 44 / 64 c
ter Security - 2 K 1 EDE K Plaintext Ciphertext P
Triple DES PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C r n chosen plaintext 56 2018 Colorado State University – 45 / 64 c
ter Security - 3 , K 2 , K 1 operations if one has 2 56 , this amounts to a single encryption which is 1 K = 2 If K Could use distinct K convenient double DES. adopted as ANSI X9.52 standard Technique suggested by Tuchman to avoid the vulnerability i ✦ Tuchman’s technique is not part of the NIST standard; howeve Can be broken in 2 ✦ Triple DES variant uses three consecutive encryption blocks
Triple DES ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE BEYOND DES ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 46 / 64 s d 2018 Colorado State University – 47 / 64 c
ter Security - Commercial COMSEC Endorsement Program = which cannot be reverse engineered, andby will selected be vendors manufacture CCEP Provide NSA designed secret crypto algorithms as black boxe
CCEP ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 48 / 64 c
ter Security - Can be sold only togovernment US contractor government for agencies processing and classified US data Can be sold only tofor US processing government sensitive, agencies unclassified and data US firms Type 1 Product module ✦ Type 2 Product module ✦ Under certain circumstances, NSA mayType approve 2 Type 1 products and for use by friendly governments
CCEP – Type 1 and Type 2 ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C SECRET KEY CRYPTOSYSTEMS
SIMPLE CIPHERS
STRONGER CIPHERS
DATA ENCRYPTION STANDARD
DES DESIGN
BREAKING DES
DES TRIPLE USING SYMMETRIC KEY CRYPTOSYSTEM ENCRYPTION
BEYOND DES
USING SYMMETRIC KEY CRYPTOSYSTEM
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 49 / 64 2018 Colorado State University – 50 / 64 c
ter Security - ECB - Electronic Code Book CBC - Cipher Block Chaining CFB - Cipher Feedback OFB - Output Feedback 4 modes of operation ✦ ✦ ✦ ✦ For DES, these are partThey of have the been NIST generalized standard into ANSImodes and of ISO block standards ciphers for
Modes of Operation for Symmetric Key Crypto ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 56 bit key 2018 Colorado State University – 51 / 64 c
64 bit data block ter Security - ED 64 bit data block Ok for small messages Identical data blocks will be identically encrypted 56 bit key
Electronic Code Book Mode ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 52 / 64 c
ter Security -
Problem with ECB Mode PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 53 / 64 c
+ ter Security - 64 bit data block 64 bit previous ciphertext block + ED 64 bit previous ciphertext block 64 bit data block 56 bit key 56 bit key
Cipher Block Chaining PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C back 2018 Colorado State University – 54 / 64 c
ter Security - the key and all previous plaintext blocks block CBC seeks to make each ciphertext block✦ a function of ✦ Needs an Initialization Vector (IV) to serve as the first feed
Cipher Block Chaining ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C e 2018 Colorado State University – 55 / 64 c
ter Security - otherwise the first blocks will be encrypted identically IV need not be secretIntegrity or of random IV is important, otherwise first data block canIV b should be changed fromof message every to message message, should or be first distinct block ✦ arbitrarily changed
Cipher Block Chaining ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 56 / 64 c
ter Security -
Encryption in CBC Mode PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C left shift key 56 bit 8 bits leftmost + 8-bit 2018 Colorado State University – 57 / 64 plaintext c
8, 8-bit blocks ter Security - left shift 8-bit ciphertext + ED 8-bit plaintext 8, 8-bit blocks 8 bits leftmost key 56 bit
Cipher Feedback PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C t other t register 2018 Colorado State University – 58 / 64 c
ter Security - the speed of CB or ECB th things Intended for character-by-character transmission, among Operates at 1/8 We can have k-bit feedback, inNeeds general a 64-bit Initialization Vector toError initialize in the 1 shif 8-bit ciphertext will be extended to the next 8 8-bi decrypted ciphertexts
Cipher Feedback ● ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C left shift key 56 bit 8 bits leftmost + 8-bit 2018 Colorado State University – 59 / 64 plaintext c
8, 8-bit blocks ter Security - left shift 8-bit ciphertext + ED 8-bit plaintext 8, 8-bit blocks 8 bits leftmost key 56 bit
Output Feedback PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C o 31 2018 Colorado State University – 60 / 64 c
ter Security - Error is not extended otherwise average cycle of repetition in key stream is 2 exclusive OR is independent of plaintext Similar to CFB except that the key stream generated as input t ✦ OFB is intended for use witherror speech extension) or video (due toANSI lack and of ISO only allow 64 bit✦ feedback in OFB
Output Feedback ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 61 / 64 c
ter Security -
Counter Mode for Block Ciphers PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 62 / 64 c
ter Security -
Counter Mode for Block Ciphers PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 63 / 64 c
ter Security - Federal Information Processing Standard 197 Replacement for DES, became effective MayStandard 2002 to be reevaluated every 5 years
Advanced Encryption Standard ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C 2018 Colorado State University – 64 / 64 c
ter Security - Rijndael was designed to handle additionalhowever they block were sizes, not adopted in the standard Symmetric key block cipher Uses the Rijndael algorithm 128 bit data block size Variable key sizes of 128 bit or 192✦ bits or 256 bits
Advanced Encryption Standard ● ● ● ● PHERS CI DES EY IPHERS DES K YMMETRIC C ESIGN NCRYPTION S RIPLE RYPTOSYSTEM E C Dr. Indrajit Ray, Computer Science Department CS 556 - Compu SING RYPTOSYSTEMS ATA EY TANDARD ECRET IMPLE TRONGER REAKING NCRYPTION EYOND K S S S S D DES D B DES T E B U C