SECRET KEY: STREAM CIPHERS & BLOCK CIPHERS Sicurezza nelle reti e nei sistemi SECRET KEY CRYPTOGRAPHY march march Alice and Bob share 2010 A crypto protocol E Secret key: key: Secret stream & block ciphers A secret key K They communicate using E with key K Adversary knows E, knows some exchanged messages but ignores K Two approaches: Stream Cipher Block ciphers 2 STREAM CIPHERS march march Idea: try to simulate one-time pad 2010 define a secret key (“seed”) key: Secret stream & block ciphers using the seed generates a byte stream (Keystream): i-th byte is function of only key (synchronous stream cipher), or both key and first i-1 bytes of ciphertext (asynchronous stream cipher) obtain ciphertext by using XOR of plaintext and keystream (bit-wise) 3 SYNCHRONOUS STREAM CIPHER march march 2010 key encryption key: Secret stream & block ciphers stream plaintext = ciphertext 4 SYNCHRONOUS STREAM CIPHER march march 2010 key decryption key: Secret stream & block ciphers stream ciphertext = plaintext 5 CIPHER STREAMS IN PRACTICE march march Many codes before 2010 1940 Secret key: key: Secret stream & block ciphers Enigma - II world war (Germany) A5 – GSM (encryption cell phone-base station) WEP - used in Ethernet 802.11 (wireless) RC-4 (Ron‟s Code) Enigma wiring diagram showing current flow. The A key is encoded to the D lamp. D yields A, but A never yields A; this property was due to 6 a patented feature unique to the Enigmas, and could be exploited by cryptanalysts in some situations. A5/1 march march Stream cipher (1987) used to provide over-the-air 2010 communication privacy in the GSM cellular telephone standard key: Secret stream & block ciphers It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified. Used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for certain export regions Initially kept secret, but the general design was leaked in 1994, and the algorithms were entirely reverse engineered in 1999 by Marc Briceno There was a terrific row between the NATO signal intelligence agencies in the mid 1980s over whether 7 GSM encryption should be strong or not Ronald Linn Rivest RC-4 march march RC: Ron‟s Code 2010 (Ron = Ronald Rivest, MIT, born in key: Secret stream & block ciphers 1947 in NY state) Considered safe: 1987 - 1994 kept secret, after „94 extensively studied Good for exporting (complaining US restrictions) Easy to program, fast Very popular: Lotus Notes, SSL, Wep etc. 8 RC4: PROPERTIES march march variable key length (byte) 2010 synchronous key: Secret stream & block ciphers starting from the key, it generates an apparently random permutation eventually the sequence will repeat however, long period > 10100 (in this way it simulates one-time-pad) very fast: 1 byte of output requires 8-16 instructions 9 RC-4 INITIALIZATION march march Goal: generate a (pseudo)random permutation of 2010 the first 256 natural numbers Secret key: key: Secret stream & block ciphers 1. j=0 2. S0=0, S1=1, …, S255=255 3. Assume a key of 256 bytes k0,…,k255 (if the key is shorter, repeat) 4. for i=0 to 255 do j = (j + Si+ ki) mod 256 exchange Si and Sj In this way we obtain a permutation of 0, 1, …,255, the resulting permutation is a function of the key 10 RC-4 KEY-STREAM GENERATION march march Input: permutation S of 0,1,…255 2010 1. i = 0, j = 0 key: Secret stream & block ciphers 2. while (true) 3. i = (i + 1) mod 256 4. j = (j + Si) mod 256 5. exchange Si and Sj 6. t = (Si + Sj) mod 256 7. k = St // compute XOR at every iteration compute the XOR between k and next byte of plaintext (or ciphertext) 11 BLOCK CIPHERS march march 2010 Given Secret key: key: Secret stream & block ciphers a block P of text of h bits (h fixed) P a key k of fixed # of bits a cryptographic protocol Ek produces Ek a block C of h bits, function of P and k Note: lengths of both block and key C (# of bits) are fixed (not necessarily equal) 12 REAL WORLD BLOCK CIPHERS march march DES, 3-DES - (64 bit block, 56 bit key) 2010 AES (Rijndael) (128 bit block, 128-256 bit key) Secret key: key: Secret stream & block ciphers RC-2 RC-5 IDEA (64 bit block, 128 bit key) Blowfish, Cast Gost 13 SYMMETRIC BLOCK CIPHERS march march 2010 Secret key: key: Secret stream & block ciphers Standard out in DES AES 14 HISTORIC NOTE march march DES (data encryption standard) is a symmetric block 2010 cipher using 64 bit blocks and a 56 bit key. Secret key: key: Secret stream & block ciphers Developed at IBM, approved by the US government (1976) as a standard. Size of key (56 bits) was apparently small enough to allow the NSA (US national security agency) to break it exhaustively even back in 70‟s. In the 90‟s it became clear that DES is too weak for contemporary hardware & algorithmics (Matsui “linear attack”, requires only 243 known plaintext/ciphertext pairs; in 1999 Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes) 15 HISTORIC NOTE (CONT.) march march The US government NIST (National Inst. of 2010 standards and technology) announced a call for an Secret key: key: Secret stream & block ciphers advanced encryption standard in 1997. This was an international open competition. Overall, 15 proposals were made and evaluated, and 6 were finalists. Out of those, a proposal named Rijndael, by Daemen and Rijmen (two Belgians), was chosen in February 2001. 16 AES - ADVANCED ENCRYPTION STANDARD march march 2010 Symmetric block cipher key: Secret stream & block ciphers Key lengths: 128, 192, or 256 bits Approved US standard (2001) Finite fields algebra 17 AES - ADVANCED ENCRYPTION STANDARD march march Symmetric block cipher 2010 Key lengths: 128, 192, or 256 bits key: Secret stream & block ciphers Rationale Resistance to all known attacks Speed and code compactness good for devices with limited computing power, e.g. smart cards Simplicity 18 AES SPECIFICATIONS march march 2010 • Input & output block length: 128 bits. • State: 128 bits, arranged in a 4-by-4 matrix of bytes. key: Secret stream & block ciphers A0,0 A0,1 A0,2 A0,3 Each byte is viewed as an A1,0 A1,1 A1,2 A1,3 element in A2,0 A2,1 A2,2 A2,3 GF(28) A3,0 A3,1 A3,2 A3,3 Input/Output: A , A , A , A , A ,… 0,0 1,0 2,0 3,0 0,1 19 AES Specifications • Key length: 128, 196, 256 bits. march march Cipher Key Layout: n = 128, 196, 256 bits, arranged in a 2010 4-by-n/32 matrix of bytes. key: Secret stream & block ciphers K0,0 K0,1 K0,2 K0,3 K0,4 K0,5 K1,0 K1,1 K1,2 K1,3 K1,4 K1,5 K2,0 K2,1 K2,2 K2,3 K2,4 K2,5 K3,0 K3,1 K3,2 K3,3 K3,4 K3,5 Initial layout: K , K , K , K , K ,… 0,0 1,0 2,0 3,0 0,1 20 AES SPECIFICATIONS march march High level code 2010 Secret key: key: Secret stream & block ciphers AES(State, Key) KeyExpansion(Key, ExpandKey) AddRoundKey(State, ExpandKey[0]) for (i = 1; i < R; i++) do Round(State, ExpandKey[i]); FinalRound(State, ExpandKey[R]); 21 Encryption: Carried out in rounds Secret key (128 bits) input block march (128 bits) 2010 Secret key: key: Secret stream & block ciphers output block (128 bits) 22 Rounds in AES 128 bits AES uses 10 rounds, no shortcuts march known for 6 rounds 2010 • The secret key is expanded from 128 bits Secret key: key: Secret stream & block ciphers to 10 round keys, 128 bits each. • Each round changes the state, then XORs the round key. (for longer keys, add one round for every extra 32 bits) Each rounds complicates things a little. Overall it seems infeasible to invert without 23 the secret key (but easy given the key). AES Specifications: One Round Transform the state by applying: march 2010 1. Substitution key: Secret stream & block ciphers A0,0 A0,1 A0,2 A0,3 2. Shift rows A1,0 A1,1 A1,2 A1,3 3. Mix columns 4. XOR round key A2,0 A2,1 A2,2 A2,3 A3,0 A3,1 A3,2 A3,3 24 Substitution (S-Box) march march Substitution operates on every Byte 2010 -1 separately: Ai,j <-- Ai,j key: Secret stream & block ciphers (multiplicative inverse in GF(28) which is highly non linear) If Ai,j = 0, don‟t change Ai,j Clearly, the substitution is invertible. 25 Cyclic Shift of Rows march march 2010 Secret key: key: Secret stream & block ciphers A0,0 A0,1 A0,2 A0,3 no shift shift 1 position A1,3 A1,0 A1,1 A1,2 shift 2 positions A2,2 A2,3 A2,0 A2,1 shift 3 positions A3,1 A3,2 A3,3 A3,0 Clearly, the shift is invertible. 26 Mixing Columns Every state column is considered as a Polynomial over GF(28) march 2010 Multiply with an invertible polynomial key: Secret stream & block ciphers 03 x3 + 01x2 + 01x + 02 (mod x4 + 1) Inv = 0B x3 + 0D x2 +09 x + 0E Round: SubBytes(State) ShiftRows(State) MixColumns(State) AddRoundKey(State,ExpandedKey[i]) 27 KEY EXPANSION march march Generate a “different key” per round 2010 Need a 4 x 4 matrix of values (over key: Secret stream & block ciphers GF(28)) per round Based upon a non-linear transformation of the original key.