New Developments in Cryptography March 2012 Bart Preneel Outline New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public-Key Infrastructure principles Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2012 • 6. Cryptography best practices © Bart Preneel. All rights reserved 1 2 Outline Block ciphers P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block • Modes of operation and authenticated cipher cipher cipher encryption • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits •memoryless • Concluding remarks • repeat simple operation (round) many times 3 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key 1 23 1 New Developments in Cryptography March 2012 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html round round. round [‘05] dule • HW: 43 Gbit/s in 130 nm CMOS ) . ule le 8 . e . round . round • Intel: new AES instruction: 0.75 cycles/byte [’09-’10] Key (12 Key . round round (192) Key . • SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s bitsliced Key (256) Key Key Sch Key . [Käsper-Schwabe’09] Key Sched Key round . Key Schedu Key round • HW: most compact: 3600 gates Light weight key schedule, in particular for the 256-bit version – KATAN: 1054, PRESENT: 1570 AES: security AES-256 security • Exhaustive key search on AES-256 takes 2256 encryptions • cryptanalysis: no attack has been found that can –264: 10 minutes with $ 5M exploit this structure (in spite of the algebraic –280: 2 year with $ 5M “attack” [Courtois’02]) –2120 : 1 billion years with $ 5B • [Biryukov-Khovratovich’09] related key attack on AES-256 • implementation level attack – requires 2119 encryptions with 4 related key s, – data & time complexity 2119 << 2256 – cache attack precluded by bitsliced implementations • Why does it work? Very lightweight key schedule or by special hardware support – fault attack requires special countermeasures • Is AES-256 broken? No, only an academic “weakness” that is easy to fix • No implications on security of AES-128 for encryption • Do not use AES-256 in a hash function construction What is a related key attack? Should I worry about a related key attack? • Attacker chooses plaintexts and key difference C • Very hard in practice (except some old US banking • Attacker gets ciphertexts schemes and IBM control vectors) • Task: find the key C • If you are vulnerable to a related key attack, you are making very bad implementation mistakes plaintext1 plaintext2 plaintext1 • This is a very powerful attack round round model: if an opponent can round zeroize 96 key bits of his round round round choice (rather than adding a round round round value), he can find the key in h Key (256) Key . Key (256) Key Key (256) Key . a few seconds . Key Schedule Key . Schedule Key Key Schedule Key round round round • If you are worried, hashing the key is an easy fix ciphertext1 ciphertext2 ciphertext1 2 New Developments in Cryptography March 2012 Bart Preneel Related key attacks on AES-256 and KASUMI KASUMI (2002) Security level in bits Exhaustive search AES [Biryukov- • Widely used in all 3G phones 300 Khovratovich’09] 4 related keys • Present in 40% of GSM phones but not 250 data & time yet used 200 comppylexity Ex haus tive search KASUMI 2119 << 2256 150 100 • Good news: related key attacks do not Practical [Dunkelman- 50 Keller-Shamir’10] apply in in the GSM or 3G context Related key 0 attack: 4 keys, 0 58 1014 15 226 data & 232 rounds time << 2128 KASUMI New announcement: August 2011 [Dunkelman-Keller-Shamir’09] [Bogdanov-Khovratovich-Rechberger] • Practical related key attack announced in • No related keys (attack in 2005) December 2009 on the block cipher KASUMI used in 3GPP • For AES-128: with 288 plaintext/ciphertext pairs, – 4 re ltdklated keys, 226 dtdata, 230 btbytes o f memory, an d the effective key size can be reduced by 2 bits 232 time (AES-126) • It is not possible to carry out this attack in 3G • For AES-192: only 280 plaintext/ciphertext pairs (as related keys are not available) • For AES-256: only 240 plaintext/ciphertext pairs Very minor impact on security and very hard to extend Synchronous Stream Cipher (SSC) Stream ciphers IV state IV state init init • historically very important (compact) – LFSR-based: A5/1, A5/2, E0 – practical attacks K next K next known state state – software-oriented: RC4 – serious weaknesses function function – block cipher in CTR or OFB (slower) • today: output output – many broken schemes function “looks” function random – exception: SNOW2.0, MUGI P C P – lack of standards and open solutions 18 3 New Developments in Cryptography March 2012 Bart Preneel GSM GSM • A5/1 weak • growing number of open source tools to intercept: – [Barkan+03] requires seconds (software not available so requires math) GnuRAdio, Airprobe, OpenBTS – [Nohl10]: Kraken = 2 Terabyte of Rainbow tables • but needs more work (1-2 years?) http://reflextor.com/trac/a51 • A5/2 trivially weak (milliseconds) – withdrawn in 2007 (took 8 years) • A5/3 (= Kasumi) seems ok but slow adoption (even if in 1.2 billion out of 3 billion handsets) • Simpler attacks on GSM – eavesdrop after base station (always cleartext) – switch off encryption (can be detected) – SMS of death GSM International • China: • be careful when rolling out 2-factor – ZUC as 3rd algorithm in LTE (also SMII, SMIII) – National Cryptography Industry Standards Technical Committee authentication via SMS established on 19/10/2011 • war texting hacks on car systems and mod 231 − 1 215 217 221 220 12+ 8 S S S S S S S S S S S S S S S S SCADA systems [Black Hat, Aug’11] 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 X X X 0 X1 2 3 R1 R2 Every algorithm used in L L 1 2 China needs to be designed in China intercepting mobile phone traffic is illegal • US: NIST is very active in standardization Open competition for stream ciphers The eSTREAM Portfolio http://www.ecrypt.eu.org Apr. 2008 (Rev1 Sept. 2008) (in alphabetical order) • run by ECRYPT – high performance in software (32/64-bit): 128-bit key Software Hardware – low-gate count hardware (< 1000 gates): 80-bit key – variants: authenticated encryption HC-128 F-FCSR-H • April 2005: 33 submissions Rabbit Grain v1 • many broken in first year • April 2008: end of competition Salsa20/12 MICKEY v2 Sosemanuk Trivium 3-10 cycles per byte 1500..3000 gates 23 24 4 New Developments in Cryptography March 2012 Bart Preneel Performance reference data Rogue CA attack (Pentium M 1.70GHz Model 6/9/5) [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger ’08] request user cert; by special encryption speed (cycles/byte) Self-signed collision this results in a fake CA root key 120 cert (need to predict serial number 100 + validity period) 80 CA1 CA2 Rogue CA 60 key setup (cycles) 40 35000 impact: rogue CA that User1 User2 User x 20 30000 can issue certs that are 25000 0 trusted by all RC4 HC-128 DES 3-DES AES 20000 15000 browsers 10000 5000 0 6 CAs have issued certificates signed with MD5 in 2008: RC4 HC- DES 3-DES AES 128 Rapid SSL, Free SSL (free trial certificates offered by RapidSSL), 26 26 25 TC TrustCenter AG, RSA Data Security, Verisign.co.jp Low cost hw: throughput versus area Hash functions [Bogdanov+08,Sugawara+08] (100 KHz clock, technology in multiples of 10 nm) 900 Protect short hash value rather • collision resistance GRAIN[8] (13) Trivium[8](13) than long text • preimage resistance ) 800 Enocoro-80[8](18) nd 700 •2 preimage resistance Kbps 600 ( mCRYPTON-96/128 (13) t u 500 CLEFIA (9) This is an input to a crypto- hp 400 graphic hash function. The input g PRESENT-128 (18) 300 is a very long string, that is PICCOLO-128 reduced by the hash function to a HIGHT (25) TDEA (9) string of fixed length. There are 200 1A3FD4128A198FB3CA345932 GOST (18) (13)Trivium(13) additional security conditions: it h Throu GRAIN 100 SEA (13) AES (13) should be very hard to find an KATAN (18) (18) AES (35) input hashing to a given value (a KTANTAN (18) TEA MISTY1 (18) preimage) or to find two colliding 0 PRESENT-80 (18) inputs (a collision). PRINTcipher-960 1000 2000 3000 4000 5000 6000 (18) LED-128 (18) Gate equivalents 27 The complexity of collision attacks SHA-1 • SHA designed by NIST (NSA) in ‘93 Brute force: 4 million PCs or US$ 100K hardware (1 year) • redesign after 2 years (’95) to SHA-1 90 90 80 80 [Wang+’05] 70 MD4 70 [Mendel+’08] 60 [Manuel+’09] MD5 60 [Wang+’04] 50 SHA-0 50 40 [McDonald+’09] SHA-1 SHA-1 40 30 30 20 Brute force 20 10 Largely unpublished/withdrawn 10 0 0 92 94 96 00 02 06 10 19 1992 19 19 1998 20 20 2004 20 2008 20 2003 2004 2005 2006 2007 2008 2009 2010 Prediction: collision for SHA-1 in the next 12-18