Distributed Systems Ngywioggazhon Pystemp Cryptographic Systems

Distributed Systems Ngywioggazhon Pystemp Auesfnsicutiwf & Moiiunocaiwn Piqtoaoyp Introduction to Cryptography

Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Page 1 Page 2

cryptography Cryptographic Systems κρυπός γραφία Authentication & Communication Protocols hidden writing

A secret manner of writing, … Generally, the art of writing or solving ciphers. — Oxford English Dictionary

Page 3 Page 4

Cryptography  Security

cryptology Cryptography may be a component of a secure system

κρυπός λογια Adding cryptography may not make a system secure

hidden speaking

1967 D. Kahn, Codebreakers p. xvi, Cryptology is the science that embraces cryptography and cryptanalysis, but the term ‘cryptology’ sometimes loosely designates the entire dual field of both rendering signals secure and extracting information from them. — Oxford English Dictionary

Page 5 Page 6

1 Terms Terms: types of ciphers

Plaintext (cleartext), message M • restricted cipher encryption, E(M) • symmetric algorithm produces ciphertext, C=E(M)

• public key algorithm decryption: M=D(C)

Cryptographic algorithm, cipher

Page 7 Page 8

Restricted cipher The key

Secret algorithm

• Leaking • Reverse engineering – HD DVD (Dec 2006) and Blu-Ray (Jan 2007) – RC4 – All digital cellular encryption algorithms – DVD and DIVX video compression – Firewire – Enigma cipher machine – Every NATO and Warsaw Pact algorithm during Cold War

Page 9 BTW, the above is a bump key. See http://en.wikipedia.org/wiki/Lock_bumping.Page 10

The key The key

Source: en.wikipedia.org/wiki/Pin_tumbler_lock Source: en.wikipedia.org/wiki/Pin_tumbler_lock

Page 11 Page 12

2 The key Symmetric algorithm

Secret key • We understand how it works: – Strengths – Weaknesses C = EK(M ) • Based on this understanding, we can assess how much to trust the key & lock. M = DK(C )

Source: en.wikipedia.org/wiki/Pin_tumbler_lock

Page 13 Page 14

Public key algorithm McCarthy’s puzzle (1958)

Public and private keys The setting: • Two countries are at war C = E (M ) 1 public • One country sends spies to the other country M = Dprivate(C1 ) • To return safely, spies must give the border guards a password also: • Spies can be trusted C = E (M ) 2 private • Guards chat – information given to them may M = D (C ) public 2 leak

Page 15 Page 16

McCarthy’s puzzle Solution to McCarthy’s puzzle

Challenge Michael Rabin, 1958

How can a guard authenticate a person without Use one-way function, B = f (A) knowing the password? – Guards get B … • Enemy cannot compute A Enemies cannot use the guard’s knowledge to – Spies give A, guards compute f(A) introduce their own spies • If the result is B, the password is correct.

Example function: Middle squares • Take a 100-digit number (A), and square it • Let B = middle 100 digits of 200-digit result

Page 17 Page 18

3 One-way functions McCarthy’s puzzle example

• Easy to compute in one direction Example with an 18 digit number • Difficult to compute in the other A = 289407349786637777 A2 = 83756614110525308948445338203501729110525308948445338 Examples: Middle square, B = 110525308948445338 Factoring: pq = N EASY find p,q given N DIFFICULT Given A, it is easy to compute B Discrete Log: Given B, it is extremely hard to compute A ab mod c = N EASY find b given a, c, N DIFFICULT

Page 19 Page 20

More terms More terms

• one-way function • Stream cipher – Rabin, 1958: McCarthy’s problem – Encrypt a message a character at a time – middle squares, exponentiation, … • [one-way] hash function • Block cipher – Encrypt a message a chunk at a time – message digest, fingerprint, cryptographic checksum, integrity check • encrypted hash – message authentication code – only possessor of key can validate message

Page 21 Page 22

Yet another term Cryptography: what is it good for?

• Digital Signature • Authentication – Authenticate, not encrypt message – determine origin of message – Use pair of keys (private, public) • Integrity – Owner encrypts message with private key – verify that message has not been modified – Sender validates by decrypting with public key – Generally use hash(message). • Nonrepudiation – sender should not be able to falsely deny that a message was sent

• Confidentiality – others cannot read contents of the message

Page 23 Page 24

4 Cryptographic toolbox

• Symmetric encryption

• Public key encryption

• One-way hash functions Classic Cryptosystems • Random number generators

Page 25 Page 26

Cæsar cipher

Earliest documented military use of cryptography – Julius Caesar c. 60 BC – shift cipher: simple variant of a substitution cipher – each letter replaced by one n positions away modulo alphabet size n = shift value = key Substitution Ciphers Similar scheme used in India – early Indians also used substitutions based on phonetics similar to pig latin

Last seen as ROT13 on Usenet to keep the reader from seeing offensive messages unwillingly

Page 27 Page 28

Cæsar cipher Cæsar cipher

A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z U V WX Y Z A B C D E F G H I J K L M N O P Q R S T shift alphabet by n (6)

Page 29 Page 30

5 Cæsar cipher Cæsar cipher

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T

Page 31 Page 32

Cæsar cipher Cæsar cipher

MY CAT HAS FLEAS MY CAT HAS FLEAS

GS GSW

Page 33 Page 34

Cæsar cipher Cæsar cipher

MY CAT HAS FLEAS MY CAT HAS FLEAS

GSWU GSWUN

Page 35 Page 36

6 Cæsar cipher Cæsar cipher

MY CAT HAS FLEAS MY CAT HAS FLEAS

GSWUNB GSWUNBU

Page 37 Page 38

Cæsar cipher Cæsar cipher

MY CAT HAS FLEAS MY CAT HAS FLEAS

GSWUNBUM GSWUNBUMZ

Page 39 Page 40

Cæsar cipher Cæsar cipher

MY CAT HAS FLEAS MY CAT HAS FLEAS

GSWUNBUMZF GSWUNBUMZFY

Page 41 Page 42

7 Cæsar cipher Cæsar cipher

MY CAT HAS FLEAS MY CAT HAS FLEAS

GSWUNBUMZFYU GSWUNBMUFZYUM

Page 43 Page 44

Cæsar cipher Ancient Hebrew variant (ATBASH)

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z U V WX Y Z A B C D E F G H I J K L M N O P Q R S T Z Y XW V U T S R Q P O N M L K J I H G F E D C B A

GSWUNBMUFZYUM NBXZGSZHUOVZH • Convey one piece of information for decryption: • c. 600 BC shift value • No information (key) needs to be conveyed!

• trivially easy to crack (26 possibilities for a 26 character alphabet)

Page 45 Page 46

Substitution cipher Substitution cipher

MY CAT HAS FLEAS Easy to decode: A B C D E F G H I J K L M N O P Q R S T U V WX Y Z – vulnerable to frequency analysis M P S R L Q E A J T N C I F Z WO Y B X G K U D V H Moby Dick Shakespeare IVSMXAMBQCLMB (1.2M chars) (55.8M chars) • General case: arbitrary mapping e 12.300% e 11.797% • both sides must have substitution alphabet o 7.282% o 8.299% d 4.015% d 3.943% b 1.773% b 1.634% x 0.108% x 0.140%

Page 47 Page 48

8 Statistical Analysis Polyalphabetic ciphers

Designed to thwart frequency analysis techniques Letter frequencies – different ciphertext symbols can represent the E: 12% same plaintext symbol A, H, I, N, O, R, S, T: 6 – 9% • 1  many relationship between D, L: 4% letter and substitute B, C, F, G, M, P, U, W, Y: 1.5 – 2.8% Leon Battista Alberti: 1466: invented key J J, K, Q, V, X, Z: < 1% – two disks A Common digrams: – line up predetermined letter on inner disk with outer disk TH, HE, IN, ER, AN, RE, … – plaintext on inner  ciphertext on Common trigrams outer THE, ING, AND, HER, ERE, … – after n symbols, the disk is rotated to a new alignment encrypt: AJ decrypt: J A

Page 49 Page 50

Vigenère polyalphabetic cipher

• Blaise de Vigenère, court of Henry III of France, 1518 • Use table and key word to encipher a message • repeat keyword over text: (e.g. key=FACE) FA CEF ACE FACEF .... MY CAT HAS FLEAS • encrypt: find intersection: row = keyword letter column = plaintext letter • decrypt: column = keyword letter, search for intersection = ciphertext letter • message is encrypted with as many substitution ciphers as there are letters in the keyword

Page 51 Page 52

Vigenère polyalphabetic cipher Vigenère polyalphabetic cipher

plaintext letter FA CEF ACE FACEF MY CAT HAS FLEAS A B C D E F G H I J K L M N O P Q R S T R A B C D E F G H I J K L M N O P Q R S T B C D E F G H I J K L M N O P Q R S T U A B C D E F G H I J K L M N O P Q R S T U V WX Y Z C D E F G H I J K L M N O P Q R S T U V B C D E F G H I J K L M N O P Q R S T U V WX Y Z A D E F G H I J K L M N O P Q R S T U V W C D E F G H I J K L M N O P Q R S T U V WX Y Z A B keytext E F G H I J K L M N O P Q R S T U V WX D E F G H I J K L M N O P Q R S T U V WX Y Z A B C letter F G H I J K L M N O P Q R S T U V WX Y E F G H I J K L M N O P Q R S T U V WX Y Z A B C D F G H I J K L M N O P Q R S T U V WX Y Z A B C D E ciphertext letter G H I J K L M N O P Q R S T U V WX Y Z A B C D E F H I J K L M N O P Q R S T U V WX Y Z A B C D E F G

Page 53 Page 54

9 Vigenère polyalphabetic cipher Vigenère polyalphabetic cipher

FA CEF ACE FACEF FA CEF ACE FACEF MY CAT HAS FLEAS MY CAT HAS FLEAS RY RY E

A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F H I J K L M N O P Q R S T U V WX Y Z A B C D E F G H I J K L M N O P Q R S T U V WX Y Z A B C D E F G

Page 55 Page 56

Vigenère polyalphabetic cipher Vigenère polyalphabetic cipher

FA CEF ACE FACEF FA CEF ACE FACEF MY CAT HAS FLEAS MY CAT HAS FLEAS RY EE RY EEY

Page 57 Page 58

Vigenère polyalphabetic cipher Vigenère polyalphabetic cipher

FA CEF ACE FACEF FA CEF ACE FACEF MY CAT HAS FLEAS MY CAT HAS FLEAS RY EEY H RY EEY HC

Page 59 Page 60

10 Vigenère polyalphabetic cipher Vigenère polyalphabetic cipher

FA CEF ACE FACEF FA CEF ACE FACEF MY CAT HAS FLEAS MY CAT HAS FLEAS RY EEY HCW RY EEY HCW K

Page 61 Page 62

Vigenère polyalphabetic cipher Vigenère polyalphabetic cipher

FA CEF ACE FACEF FA CEF ACE FACEF MY CAT HAS FLEAS MY CAT HAS FLEAS RY EEY HCW KL RY EEY HCW KLG

Page 63 Page 64

Vigenère polyalphabetic cipher Vigenère polyalphabetic cipher

FA CEF ACE FACEF FA CEF ACE FACEF MY CAT HAS FLEAS MY CAT HAS FLEAS RY EEY HCW KLGE RY EEY HCW KLGEX

Page 65 Page 66

11 Vigenère polyalphabetic cipher

"The rebels reposed their major trust, however, in the Vigenere, sometimes using it in the form of a brass cipher disc. In theory, it was an excellent choice, for so far as the South knew the cipher was unbreakable. In practice, it proved a dismal failure. For one thing, transmission errors that added or subtracted a letter ... unmeshed the key from Transposition Ciphers the cipher and caused no end of difficulty. Once Major Cunningham of General Kirby-Smith's staff tried for twelve hours to decipher a garbled message; he finally gave up in disgust and galloped around the Union flank to the sender to find out what it said."

http://rz1.razorpoint.com/index.html

Page 67 Page 68

Transposition ciphers Transposition ciphers: staff cipher

• Permute letters in plaintext according to rules MYCATHASFLEAS

• Knowledge of rules will allow message to be decrypted MHE

• Earliest version used by the Spartans in the th 5 century BC – staff cipher M H E

Page 69 Page 70

Transposition ciphers: staff cipher Transposition ciphers: staff cipher

MYCATHASFLEAS MYCATHASFLEAS

MHE YAA MHE YAA CSS

Y C A S A S

Page 71 Page 72

12 Transposition ciphers: staff cipher Transposition ciphers: staff cipher

MYCATHASFLEAS MYCATHASFLEAS

MHE YAA CSS AFx MHE YAA CSS Afx TLy

A T F Pad out the text. This is a L x block cipher versus a y stream cipher

Page 73 Page 74

Transposition cipher Transposition cipher

Table version of staff cipher Table version of staff cipher – enter data horizontally, read it vertically – enter data horizontally, read it vertically – secrecy is the width of the table – secrecy is the width of the table

M Y C A M Y C A T H A S T H A S MYCATHASFLEAS MYCATHASFLEAS MTFS F L E A F L E A S x y z S x y z

Page 75 Page 76

Transposition cipher Transposition cipher

M Y C A M Y C A T H A S T H A S MYCATHASFLEAS MTFSYHLx MYCATHASFLEAS MTFSYHLxCAEy F L E A F L E A S x y z S x y z

Page 77 Page 78

13 Transposition cipher Transposition cipher with key

Table version of staff cipher – permute letters in plaintext according to key – enter data horizontally, read it vertically – read down columns, sorting by key – secrecy is the width of the table

Key: 3 1 4 2 M Y C A M Y C A T H A S MYCATHASFLEAS MTFSYHLxCAEyASAz MYCATHASFLEAS T H A S F L E A F L E A S x y z S x y z

Page 79 Page 80

Transposition cipher with key Transposition cipher with key

– permute letters in plaintext according to key – permute letters in plaintext according to key – read down columns, sorting by key – read down columns, sorting by key

Key: 3 1 4 2 Key: 3 1 4 2 M Y C A M Y C A MYCATHASFLEAS T H A S YHLx MYCATHASFLEAS T H A S YHLxASAz F L E A F L E A S x y z S x y z ASAz YHLx

Page 81 Page 82

Transposition cipher with key Transposition cipher with key

– permute letters in plaintext according to key – permute letters in plaintext according to key – read down columns, sorting by key – read down columns, sorting by key

Key: 3 1 4 2 Key: 3 1 4 2 M Y C A M Y C A MYCATHASFLEAS T H A S YHLxASAzMTFS MYCATHASFLEAS T H A S YHLxASAzMTFSCAEy F L E A F L E A S x y z S x y z CAEy

MTFS

Page 83 Page 84

14 Transposition cipher with key Combined ciphers

– permute letters in plaintext according to key • Combine transposition with substitution – read down columns, sorting by key ciphers – German ADFGVX cipher (WWI)

Key: 3 1 4 2 M Y C A • can be troublesome to implement MYCATHASFLEAS T H A S YHLxASAzMTFSCAEY – may require a lot of memory F L E A S x y z – may require that messages be certain lengths

• Difficult with manual cryptography

Page 85 Page 86

Rotor machines

1920s: mechanical devices used for automating encryption

Rotor machine:

– set of independently rotating cylinders through which electrical Electro-mechanical pulses flow – each cylinder has input & output pin for each letter of the cryptographic engines alphabet – implements a version of the Vigenère cipher

– each rotor implements a substitution cipher

– output of each rotor is fed into the next rotor

Page 87 Page 88

Rotor machines Single cylinder rotor machine

• Simplest rotor machine: single cylinder A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z G V I L C M B Q F K D O S P Z H R E U Z N X A T W J A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

rotate • after a character is entered, the cylinder rotates one position A B C D E F G H I J K L M N O P Q R S T U V W X Y Z – internal combinations shifted by one A B C D E F G H I J K L M N O P Q R S T U V W X Y Z – polyalphabetic substitution cipher with a period of 26 K H W J M D N C R G L E P T Q Z I S F V A O Y B U X

Page 89 Page 90

15 Single cylinder rotor machine Single cylinder rotor machine

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

S SU

Page 91 Page 92

Single cylinder rotor machine Single cylinder rotor machine

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

SUI SUIU

Page 93 Page 94

Single cylinder rotor machine Single cylinder rotor machine

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

SUIUV SUIUVA

Page 95 Page 96

16 Single cylinder rotor machine Single cylinder rotor machine

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

SUIUVAY SUIUVAYO

Page 97 Page 98

Single cylinder rotor machine Single cylinder rotor machine

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

SUIUVAYOI SUIUVAYOIN

Page 99 Page 100

Single cylinder rotor machine Single cylinder rotor machine

MY CAT HAS FLEAS MY CAT HAS FLEAS

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

SUIUVAYOINK SUIUVAYOINKB

Page 101 Page 102

17 Single cylinder rotor machine Multi-cylinder rotor machines

MY CAT HAS FLEAS Single cylinder rotor machine – substitution cipher with a period = length of alphabet (e.g., 26) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Multi-cylinder rotor machine – feed output of one cylinder as input to the next one – first rotor advances after character is entered A B C D E F G H I J K L M N O P Q R S T U V W X Y Z – second rotor advances after a full period of the first – polyalphabetic substitution cipher SUIUVAYOINKBY • period = (length of alphabet)number of rotors • 3 26-char cylinders  263 = 17,576 substitution alphabets • 5 26-char cylinders  265 = 11,881,367 substitution alphabets

Page 103 Page 104

Enigma Enigma

Rotors • Enigma machine used in Reflector Germany during WWII • Three rotor system – 263 = 17,576 possible rotor positions • Input data permuted via patch panel before sending to rotor engine Plugboard • Data from last rotor reflected back through rotors  makes encryption symmetric Glowlamps • Need to know initial settings of rotor (results) – setting was f(date) – find in book of codes Keyboard • broken by group at Bletchley Park (Alan Turing) (input)

Page 105 Page 106

One-time pads One-time pads

Only provably secure encryption scheme If pad contains M + K mod 26 = W • invented in 1917 KWXOPWMAELGHW… Y + W mod 26 = U and we want to encrypt C + X mod 26 = Z MY CAT HAS FLEAS A + O mod 26 = O • large non-repeating set of random key letters written T + P mod 26 = I on a pad H + W mod 26 = D Ciphertext: • each key letter on the pad encrypts exactly one A + M mod 26 = M WUZOIDMSJWKHO plaintext character S + A mod 26 = S – encryption is addition of characters modulo 26 F + E mod 26 = J L + L mod 26 = W • sender destroys pages that have been used E + G mod 26 = K A + H mod 26 = H • receiver maintains identical pad S + W mod 26 = O

Page 107 Page 108

18 One-time pads One-time pads

The same ciphertext can W - D mod 26 = W Can be extended to binary data decrypt to anything U - N mod 26 = U depending on the key! Z - V mod 26 = Z – random key sequence as long as the message O - L mod 26 = O – exclusive-or key sequence with message Same ciphertext: I - U mod 26 = I – receiver has the same key sequence D - X mod 26 = D WUZOIDMSJWKHO M - E mod 26 = M With a pad of: S - A mod 26 = S KWXOPWMAELGHW… J - C mod 26 = J Produces: W - W mod 26 = W THE DOG IS HAPPY K - V mod 26 = K H - S mod 26 = H O - Q mod 26 = O

Page 109 Page 110

One-Time Pad One-time pads

void onetimepad(void) Problems with one-time pads: { FILE *if = fopen(“intext”, “r”); – key needs to be as long as the message! FILE *kf = fopen(“keytext”, “r”); FILE *of = fopen(“outtext”, “w”); – key storage can be problematic int c, k; • may need to store a lot of data

while ((c = getc(if)) != EOF) { – keys have to be generated randomly k = getc(kf); • cannot use pseudo-random number generator putc((c^k), of); } – cannot reuse key sequence fclose(if); fclose(kf); fclose(of); } – sender and receiver must remain synchronized (e.g. cannot lose a message)

Page 111 Page 112

Digression: random numbers

• “anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin” – John vonNeumann Computer Cryptography • Pseudo-random generators – Linear feedback shift registers – Multiplicative lagged Fibonacci generators – Linear congruential generator

• Obtain randomness from: – Time between keystrokes – Various network/kernel events – Cosmic rays – Electrical noise – Other encrypted messages

Page 113 Page 114

19 DES DES

64 bit plaintext block 48-bit subkey • Data Encryption Standard permuted from key – adopted as a federal standard in 1976 initial permutation, IP

• block cipher, 64 bit blocks left half, L1 right half, R0 f • 56 bit key K1 – all security rests with the key 16 rounds • substitution followed by a permutation L1= R0 R1 = L0  f(R0, K1)

(transposition) L15= R14 R15 = L14  f(R14, K15) – same combination of techniques is applied on the f plaintext block 16 times K16

R16 = L15  f(R15, K16) L16 = R15

final permutation, IP-1

64 bit ciphertext block Page 115 Page 116

DES: f DES: S-boxes

• After compressed key is XORed with expanded block DATA: right 32 bits KEY: 56 bits – 48-bit result moves to substitution operation via eight substitution boxes (s-boxes)

48 bits 48 bits • Each S-box has – 6-bit input – 4-bit output • 48 bits divided into eight 6-bit sub-blocks S S S S S S S S • Each block is operated by a separate S-box • key components of DES’s security • net result: 48 bit input generates 32 bit output New DATA: DATA: left 32 bits right 32 bits

Page 117 Page 118

Is DES secure? The power of 2

56-bit key makes DES relatively weak Adding an extra bit to a key doubles the search – 7.2×1016 keys space. – Brute-force attack Suppose it takes 1 second to attack a 20-bit key: Late 1990’s: – DES cracker machines built to crack DES keys in a few hours •21-bit key: 2 seconds – DES Deep Crack: 90 billion keys/second – Distributed.net: test 250 billion keys/second •32-bit key: 1 hour •40-bit key: 12 days •56-bit key: 2,178 years •64-bit key: >557,000 years!

Page 119 Page 120

20 Increasing The Key Double DES

Can double encryption work for DES? Vulnerable to meet-in-the-middle attack

– Useless if we could find a key K such that: If we know some pair (P, C), then: 56 [1] Encrypt P for all 2 values of K1 EK(P) = EK2(EK1(P)) 56 [2] Decrypt C for all 2 values of K2

– This does not hold for DES For each match where [1] = [2] – test the two keys against another P, C pair – if match, you are assured that you have the key

Page 121 Page 122

Triple DES Triple DES

Triple DES with two 56-bit keys: Prevent meet-in-the-middle attack with – three stages C = EK1(DK2(EK1(P))) – and two keys Triple DES with three 56-bit keys: Triple DES: C = EK3(DK2(EK1(P))) C = EK1(DK2(EK1(P))) Decryption used in middle step for compatibility Decryption used in middle step for compatibility with DES (K1=K2=K3) with DES C = E (D (E (P)))  C = E (P) K K K K1 C = EK(DK(EK(P)))  C = EK1(P)

Page 123 Page 124

Popular symmetric algorithms AES

IDEA - International Data Encryption Algorithm From NIST: – 1992 Assuming that one could build a machine that could – 128-bit keys, operates on 8-byte blocks (like DES) recover a DES key in a second (i.e., try 256 keys per – algorithm is more secure than DES second), then it would take that machine RC4, by Ron Rivest approximately 149 trillion years to crack a 128-bit – 1995 AES key. To put that into perspective, the universe – key size up to 2048 bits is believed to be less than 20 billion years old. – not secure against multiple messages encrypted with the same key AES - Advanced Encryption Standard – NIST proposed successor to DES, chosen in October 2000 – based on Rigndael cipher – 128, 192, and 256 bit keys

http://csrc.nist.gov/encryption/aes/

Page 125 Page 126

21 The end.

Page 127