ECE560 Computer and Information Security Fall 2021 Cryptography Tyler Bletsch Duke University Some slides adapted from slideware accompanying “Computer Security: Principles and Practice” by William Stallings and Lawrie Brown REAL advice for using cryptography • I’m about to teach cryptography basics, which you should know • However, you should not reach for these functions in most real- world programming scenarios!! • Repeat after me: I’ll provide more detailed advice after we understand the theory... 2 Crypto basics summary • Symmetric (secret key) cryptography c = ciphertext p = plaintext . c = Es(p,k) k = secret key Es = Encryption function (symmetric) D = Decryption function (symmetric) . p = Ds(c,k) s • Asymmetric (public key) cryptography Ea = Encryption function (asymmetric) . c = Ea(p,kpub) Da = Decryption function (asymmetric) kpub = public key k = private key . p = Da(c,kpriv) priv . kpub and kpriv generated together, mathematically related • Message Authentication Codes (MAC) . Generate and append: H(p+k), E(H(p),k), or tail of E(p,k) H = Hash function . Check: A match proves sender knew k • Digital signatures s = signature . Generate and append: s = Ea(H(p),kpriv) . Check: Da(s,kpub)==H(p) proves sender knew kpriv 3 Symmetric (Secret Key) Encryption 4 Symmetric cryptography • The primary method for providing confidentiality of data transmitted (“in-flight”) or stored (“at-rest encryption”) • Uses one key for both encryption and decryption. Sender/receiver must already have copies of this key. Given: Plaintext p (arbitrary size) Secret key k (fixed size) Encryption function E Decryption function D Can produce ciphertext c: c = E(p,k) Can recover plaintext: p = D(c,k) 5 How to attack cryptography • Cryptanalysis – apply cleverness . Exploit weaknesses in algorithm or manner of its use . May leverage existing plaintext, ciphertext, or pairs of each . KEY ISSUE: Even if algorithm is “perfect” (unprovable), you might use the algorithm incorrectly. (This is why you don’t roll your own crypto) • Brute-force attack – apply money . Try all possible keys, stop when decrypted result seems readable • Need to try half of all keys on average . Can be done in parallel (i.e., using compute cluster) . Always possible, but if the number of possible keys is large enough, cost to crack > value of info obtained • This is called being computationally secure 6 Hypothetical bad symmetric encryption algorithm: XOR • A lot of encryption algorithms rely on properties of XOR A B A^B 0 0 0 . Can think of A^B as “Flip a bit in A if corresponding bit in B is 1” 0 1 1 . If you XOR by same thing twice, you get the data back 1 0 1 . XORing by a random bit string yields NO info about original data 1 1 0 • Each bit has a 50% chance of having been flipped >>> a=501 >>> b=199 >>> a ^= b >>> print a 306 • Could consider XOR itself to be a symmetric encryption >>> a ^= b >>> print a algorithm (but it sucks at it!) – can be illustrative to explore 501 • Simple XOR encryption algorithm: . E(p,k) = p ^ k (keep repeating k as often as needed to cover p) . D(c,k) = c ^ k (same algorithm both ways!) 7 XOR “encryption” demo Plaintext: 'Hello' Key : 'key' H e l l o Plaintext : 01001000 01100101 01101100 01101100 01101111 k e y Key repeats> k e Key : 01101011 01100101 01111001 01101011 01100101 Ciphertext: 00100011 00000000 00010101 00000111 00001010 ^ XOR result Ciphertext: 00100011 00000000 00010101 00000111 00001010 Key : 01101011 01100101 01111001 01101011 01100101 Decrypted : 01001000 01100101 01101100 01101100 01101111 ^ XOR result H e l l o 8 Types of cryptanalysis attacks • Given the encryption algorithm and ciphertext under attack, attacks we can do: Type of attack Things known to cryptanalyst Ciphertext only (just the ciphertext under attack) Known plaintext • One or more plaintext-ciphertext pairs using same key Chosen plaintext • Plaintext chosen by attacker + ciphertext encrypted with same key Chosen ciphertext • Ciphertext chosen by attacker + “plaintext” decrypted with same key Chosen text • Plaintext chosen by attacker + ciphertext encrypted with same key • Ciphertext chosen by attacker + “plaintext” decrypted with same key 9 Attacking XOR (1) • Known plaintext attack: . Given plaintext : 01001000 01100101 01101100 01101100 01101111 . Given ciphertext : 00100011 00000000 00010101 00000111 00001010 . XOR result : 01101011 01100101 01111001 01101011 01100101 ^^ it's the key!!! • Chosen plaintext attack: . Chosen plaintext : 00000000 00000000 00000000 00000000 00000000 . Given ciphertext : 01101011 01100101 01111001 01101011 01100101 . XOR result : 01101011 01100101 01111001 01101011 01100101 ^^ it's the key!!! • Chosen ciphertext attack: . Chosen ciphertext: 00000000 00000000 00000000 00000000 00000000 . Result plaintext : 01101011 01100101 01111001 01101011 01100101 . XOR result : 01101011 01100101 01111001 01101011 01100101 ^^ it's the key!!! 10 Attacking XOR (2) • Ciphertext only attack: . Ciphertext: 00100011 00000000 00010101 00000111 00001010 . "I assume the plaintext had ASCII text with lowercase letters, and in all such letters bit 6 is 1, but none of the ciphertext has bit 6 set, so I bet the key is most/all lower case letters" . "The second byte is all zeroes, which means the second byte of the key and plaintext are equal" . etc.... • Conclusion: XOR is a sucky encryption algorithm 11 Symmetric ciphers in common use Cipher Key size Block size Year introduced (1975) Now ATMs can exist thanks to this Data Encryption Standard (DES)! DES 56 64 1975 (1995) Ahh, the DES key is too small! It 3DES 112/168 64 1995 can be brute forced really fast! Hurry, duct tape three of them together! Twofish 128/192/256 128 1998 (1998) Crap, now it’s too slow! Lets have a bunch of algorithms come fight Serpent 128/192/256 128 1998 to become the American Encryption Rijndael 128/192/256 128 1998 Standard (AES)! (2001) This guy won and is now called AES. • Triple DES (3DES) still around in legacy stuff like in financial systems (ATMs) • AES dominates everywhere else. • Implemented in hardware in modern CPUs – way faster than software versions of other algorithms (by 5x or more!) • Not sure what to use? Use AES • Some people like to use the other AES finalists (Twofish, Serpent) or other symmetric ciphers not listed here. That’s fine. 12 Okay, but what about that “block size” thing? • These are block ciphers – they just encrypt a block of bits. • How do you apply the cipher to data that’s bigger than just one block? • Answer: modes of operation • Simplest mode of operation: Electronic Code Book (ECB) • Each block of plaintext is encrypted with the same key Problem? 13 Demonstrating the danger of ECB • Electronic Codebook (ECB) is what you’d come up with naively: “Just apply the key to each block” • But this means that identical blocks give identical ciphertext, which can be informative to an attacker... See PoC||GTFO 4:13 for a poem about this 14 Figures from Wikipedia “Block cipher mode of operation” Solution to the “ECB problem” • Develop more sophisticated modes of operation for use with our block cipher. We’ll see several of these – there’s tradeoffs to different techniques • Some will convert our block cipher to a stream cipher . Stream cipher: A cipher where the plaintext is XOR’d with a pseudorandom bit stream derived from the key 15 Figure from https://www.researchgate.net/figure/Stream-cipher-diagram_fig2_318517979 Modes of operation: CBC • Cipher Block Chaining (CBC): . Each block of plaintext is XOR’d with previous block ciphertext . Prevents patterns from being visible even in regular data Initialization Vector (IV) • Random • Not secret (transmitted in clear) • Prevents cryptanalysis, e.g. by preventing a past-seen plaintext from producing the same ciphertext in the first block Encryption parallelizable? No Decryption parallelizable? Yes Random read access? Yes 16 Figures from Wikipedia “Block cipher mode of operation” More about the Initialization Vector • The previous slide showed an “IV” (Initialization Vector”) used to start the chain (it’s XORed with the first block of plaintext). Something like this is used in many modes. IV is random per-message; ensures first block of two ciphertexts don’t match just because plaintexts match. • The IV must be known to both the sender and receiver, typically not a secret (often included in the communication). • IV integrity is important: If an opponent is able to fool the receiver into using a different value for IV, then the opponent is able to invert selected bits in the first block of plaintext. Other attacks, too... A more detailed discussion can be found here. 17 Modes of operation: CTR • Counter (CTR): . Encrypt an incrementing list of integers to make a keystream: turns a block cipher into a stream cipher! . Allows full parallelization and random access Note: A nonce is basically like an initialization vector. Encryption parallelizable? Yes Decryption parallelizable? Yes Random read access? Yes 18 Figures from Wikipedia “Block cipher mode of operation” Further modes of operation • Cipher feedback (CFB): Chained encryption similar to CBC, but just used to produce a keystream – works as a stream cipher • Output feedback (OFB): Very similar to CBC. Neat property: Bitflips in ciphertext become bitflips in plaintext, so error correcting codes work transparently. • Galois/counter mode (GCM): Applies lessons from finite field theory (out of scope for us). This mode performs authentication as well as providing confidentiality. Very common on the modern web. • Many more! See “Block Cipher Modes of Operation” on Wikipedia. 19 Asymmetric (Public Key) Cryptography 20 The problem • Problem with symmetric crypto: I need to The recipient transmit a needs the secret secret key • Want to be able to send a message without having pre-shared a key • Solution: What if the key to decrypt was different than the one to encrypt? 21 Asymmetric (Public Key) Cryptography • Proposed by Diffie and Hellman in 1976 • Based on math; asymmetric: . Uses two separate keys . Public key and private key .