<<

CIT 480: Securing Systems

Symmetric Topics

1. 2. Transposition 3. Substitution Ciphers 4. : 5. Block Ciphers 6. AES and DES 7. Stream Ciphers 8. Modular Arithmetic Congruence – a = b (mod N) iff a = b + kN – ex: 37=27 mod 10 b is the residue of a, modulo N – Integers 0..N-1 are the set of residues mod N

Modulo 12 number system What is Cryptography?

Cryptography: The art and science of keeping messages secure.

Cryptanalysis: the art and science of decrypting messages.

Cryptology: cryptography + cryptanalysis Terminology

Plaintext: message P to be encrypted. Also called cleartext.

Encryption: altering a message to keep its Procedure contents secret.

Ciphertext: encrypted message C. Cæsar

Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C) – is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG ROT 13

Cæsar cipher with key of 13 13 chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online. Kerckhoff’s Principle

Security of should only depend on 1. Quality of shared encryption E 2. of key K Security through obscurity tends to fail ex: DVD Content Scrambling System Cryptanalysis

Goals 1. Decrypt a given message. 2. Recover encryption key.

Threat models vary based on 1. Type of available to adversary 2. Interaction with cryptosystem. Cryptanalysis Threat Models ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key. known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key. chosen plaintext: adversary may supply and obtain corresponding ciphertext; goal is to find key. Brute Force Attack

Exhaustive search of keyspace by decrypting ciphertext C with all possible keys K.

– Must determine if DK(C) is a likely plaintext – Requires some knowledge of format (, doc type) For N possible keys, – Worst case is N decryptions. – Mean case is N/2 decryptions. Example: DES has 56- keys – Average time to find key is 255 decryptions. Is 128 enough?

128-bit keyspace permits 2128 keys – 340,282,366,920,938,463,463,374,607,431,768,211,456 or – 3.4 x 1038 keys Cracking 1 trillion (1012) keys per second requires – 3.4 x 1026 seconds or – 1.08 x 1019 years Cracking 1 trillion keys per second on 1 billion CPUs – requires 1.08 x 1010 years = 10.8 billion years Classical Cryptography

Sender and receiver share common key – Keys may be the same, or be trivial to derive from one another. – Sometimes called symmetric cryptography.

P encrypt C decrypt P

K K Brute Force vs. Cæsar Cipher

Decryption key Candidate Brute Force attack (26-K) plaintext – Only 26 possible keys. 0 exxegoexsrgi 1 dwwdfndwrqfh – PC can try all in <1s. 2 cvvcemcvqpeg 3 buubdlbupodf 4 attackatonce 5 zsszbjzsnmbd 6 yrryaiyrmlac ... 23 haahjrhavujl 24 gzzgiqgzutik 25 fyyfhpfytshj General Simple

Keys: All of alphabet (26! keys) Encryption: Replace each plaintext letter x with K(x) Decryption: Replace each ciphertext letter y with K-1(y) Example: A B C D E F G H I J K L M N O P R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E

CRYPTO BQCOWP General Simple Substitution Security

Exhaustive search impossible – Key space size is 26! =~ 4 x 1026 – Historically thought to be unbreakable. However, have different frequencies of  letters  digraphs (groups of 2 letters)  trigraphs (groups of 3 letters)  etc. Simple substitution ciphers preserve letter frequencies. English Letter Frequencies Additional Frequency Features

Digraph frequencies – Common digraphs: EN, RE, ER, NT Trigraph frequencies – Common trigraphs: THE, AND, ING – Digraph and trigraph tables can be found at http://www.sttmedia.com/syllablefrequency- english The letter Q is followed only by U. Countering Frequency Analysis

Primary weakness of simple substitution: – Each ciphertext letter corresponds to only one letter of plaintext. Solution: polyalphabetic substitution – Use multiple cipher alphabets. – Switch between cipher alphabets from character to character in the plaintext. Letter Frequency Distributions Vigènere Cipher

Use phrase instead of letter as key. Example – Message THE BOY HAS THE BALL – Key VIG – Encipher using Cæsar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG

Reproduction of CSA One-Time Pad

• A Vigenère cipher with a random key at least as long as the message. • Provably unbreakable.

• Example ciphertext: DXQR. • Equally likely to correspond to – plaintext DOIT (key AJIY) – plaintext DONT (key AJDY) – and any other 4 letters. Binary One Time Pad

Encrypt a message M with pad P to produce ciphertext C = M ⊕ P where ⊕ is the exclusive OR operator.

Decrypt a ciphertext C with the same pad P

M = C ⊕ P One Time Pad Problems

1. The one-time pad must be random. Software pseudo-random number generators are not random. Pad needs hardware . 2. Transmission of long pads is difficult. The pad is just as long as all the messages you’ll ever send with it, so you’ve just moved the problem of transmitting secret messages to transmitting a secret pad. 3. Pad must always be kept secret. If pad is ever discovered, then attacker can decrypt old messages. Pads must be securely destroyed at end of use. Block Ciphers

Encrypt groups (blocks) of chars at once. Improvement over single char substitution – Cryptanalysis must use digraph frequencies for two-char blocks. – Longer blocks are more difficult to analyze. – Modern ciphers are block ciphers. Example: , 1854 DES is Insecure

Brute force attacks can be completed in <1 day. – Distributed computing attacks. – RIVYERA FPGA-based parallel computer breaks DES in <1 day for a hardware cost of <$10,000. Linear cryptanalysis faster than brute force – Need 241 known plaintexts Triple DES

Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´) –1 – c = DESk(DESk´ (DESk’’(m))) – Middle decrypt allows backward compatibility if all keys are equal: k = k´= k´´ – Double-encryption vulnerable to meet-in-middle attack, reducing difficulty from 2112 to 257. Advanced Encryption Standard (AES)

Winner of open NIST competition (1997-2000) – Rijndael, designed by and . – Published as FIPS 197 in November 2001. 128-bit – 128-, 192-, or 256-bit keys. – 10, 12, or 14 rounds, depending on . Replacement for DES – DES vulnerable to brute force attacks due to 56-bit keys. – Triple DES is very slow. Electronic Book Mode

Encrypt each block independently.

E(block) = Cblock each time block appears

Therefore attacker can build dictionary of blocks.

ECB encryption of bitmap hides colors but image is still discernible. Cipher Block Chaining Mode

XOR each block with previous ciphertext block. Random (IV) used for 1st.

CBC encryption of bitmap looks random. Cipher Block Chaining Mode

Formula for CBC encryption (i=1 is 1st block)

Formula for CBC decryption Stream Ciphers

Combine plaintext with cipher bitstream – Cipher generates stream of pseudo-random bits – Loosely inspired by one time pad. RC4 is most widely used – Variable length key: 40 to 128 bits – Aircrack breaks 104-bit RC4 used in WEP in 1min – No known practical attacks against 128-bit, but – Much speculation that NSA can crack 128-bit RC4. Block cipher to stream cipher – Using block cipher in Counter Mode. – XOR counter mode data with plaintext. Importance of RNGs

We need all those brilliant Belgian cryptographers to go "alright we know that these encryption we are using today work, typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them [secure], how can we test them?“ -- Ed Snowden at SXSW

Goal: Ensure best attack against cipher is brute force. Solution: Given set of K potential keys, choose one randomly. – Selecting a random number between 0 and K–1. – Ex: For a 128-bit key, select number between 0 and 2128-1 Difficulty: generating random numbers – Hardware random number generators gather from physical world but are expensive and limited in how many bits/second they product. – Software generated numbers are pseudo-random (PRNGs), that is, generated by an algorithm. – If starting with same , then PRNGs will produce the same sequence of numbers each time. Linear Congruential Generator

nk = (ank–1 + b) mod m m Modulus (a large prime integer), maximum period a Multiplier (integer from 2..m-1) b Increment n0 Sequence initializer (seed) LCG Period

The period of an LCG is at most m, the modulus. – Modulus only allows numbers 0 .. m-1 to be produced. – An LCG with a period of m is aid to have a full period. An LCG will have a full period for all iff – b and m are relatively prime, – a-1 is divisible by all prime factors of m, – a-1 is a multiple of 4 if m is a multiple of 4 For production LCGs, m=232-1 common – a = 16807 is well studied full period multiplier LCGs are predictable, and thus not secure for crypto – Knowing just one LCG output allows prediction of next. Seeds for PR generation

Input used to generate initial pseudo-random (PR) numbers. Seeds should be computationally infeasible to predict – Generate seed from random, not PR, data. – Size: 32 bits too small; only 232 combinations. Sequence is periodic, but starts from different point for each different seed. – Identical sequences produced for identical seeds. – Period needs to be large for security. Secure PRNGs

Cryptographically Secure PRNGs (CSPRNGs) must: 1. Statistically appear random. 2. Difficult to predict next member of sequence from previous members. 3. Difficult to extract internal state of PRNG from observing output. May be re-seeded at runtime, unlike PRNGs. Classes of CSPRNGs

1. Designs based on cryptographic primitives – Based on block cipher in counter mode or – Use a secure hash of a counter. 2. Number theoretic designs – Based on hard mathematical problems. – Example: Blum Blum Shub 3. Special purpose designs – May introduce extra entropy when available. – Example: Yarrow (FreeBSD, Mac OS X) Block cipher-based CSPRNG

Operate block cipher in counter mode. – Choose a random key. – Nonce is a random initialization vector. – Plaintext is a predictable sequence, produced by incrementing by 1 or by any aperiodic function. Blum Blum Shub

2 xn+1 = xn mod M

Blum Number M – Product of two large primes, p and q – p mod 4 = 3, q mod 4 = 3 Seed – Choose random integer x, relatively prime to M. 2 – x0 = x mod M Blum Blum Shub

Random Output:

– LSB of xn+1

– Can safely use log2M bits. Provably secure – Distinguishing output bits from random bits is as difficult as factoring M for large M. Slow – Requires arbitrary precision software math libraries. Yarrow

Yarrow is named after whose are used in I Ching divination. – Used for /dev/random in FreeBSD and Mac OS X. Steps 1. Accumulates entropy from system sources. 2. Pools are SHA-1 hash contexts, 160 bits maximum. 3. Reseeds generator with key made from pool entropy to limit state compromise attacks. 4. Generates numbers using Triple-DES in counter mode. Ivy Bridge RNG

• Added with Ivy Bridge Core iN CPUs in 2012. • One RNG per die, not per core. • Entropy source is thermal noise. Attacks on PNRGs

Direct Cryptanalytic – Distinguish between PRNG output and random output with better than 50% accuracy. Input-Based – Use knowledge of PRNG input to predict output, or – Insert input into PRNG to control output. State Compromise Extension – Extend previously successful attack that has recovered internal state to recover either or both: • past unknown PRNG outputs • future PRNG outputs after additional inputs given to PRNG Key Points: Cryptography

Types of ciphers – Substitution (monoalphabetic and polyalphabetic) – Transposition () – Product (Substitution + Permutation) Cryptanalysis – Kerchoff’s principle – Brute force attack • Find key in at most n tries, for n possible keys. • Find key in an average of n/2 tries. • A cryptosystem with x-bit keys has 2x possible keys. – Frequency analysis. – One-time pad is provably secure Block ciphers – ECB mode insecure; need to use CBC for block ciphers. – DES obsolete due to small 56-bit keys. 3DES=112 bit key. – AES current standard, best symmetric cipher is AES-128. Key Points: RNGs

1. Secure keys must be randomly generated. 2. RNG types – Hardware: physical entropy software, which is often used as a seed for the software RNGs. – PRNG: algorithmic generation of predictable but statistically random number sequences. Example: LCG. – CSPRNG: PRNG where it is difficult to predict next number of extract PRNG state. Example: Yarrow. 3. PRNG features – Periodic: sequence will eventually repeat. – Seed-dependent: seed determines starting point of sequence; if seed is identical in two runs, sequence is identical. References

1. Ross Anderson, Security , 2nd edition, , 2008. 2. Matt Bishop, Introduction to , Addison-Wesley, 2005. 3. Neil Daswani et. al., Foundations of Security, Apress, 2007. 4. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 5. , , MacMillan, 1967. 6. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996. 7. NIST, FIPS Publication 46-3: (DES), 1999, http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 8. , Applied Cryptography, 2nd edition, Wiley, 1996. 9. US Government Dept of the Army, FM 34-40-2 MANUAL, 1990, http://www.umich.edu/~umich/fm-34-40-2/